This work is copyright. Apart from any use as permitted under the CopyrightAct 1968, no part may be reproduced by any process without prior writtenpermission from the Office of the Privacy Commissioner.

Requests and enquiries concerning reproduction, right and content should beaddressed to:

Copyright Officer

Corporate and Public Affairs

Office of the Privacy Commissioner

GPO Box 5218

SYDNEY NSW 2001

E-mail: privacy@privacy.gov.au

The Hon Philip Ruddock MP

Attorney-General

Parliament House

CANBERRA ACT 2600

Dear Attorney-General

I refer to your request of 13 August 2004 asking me to undertake a review ofthe private sector provisions of the Privacy Act 1988.I have pleasure in presenting to you the report: Getting in on the Act: TheReview of the Private Sector Provisions of the Privacy Act 1988.

Foreword

This report is the first major examination of how the laws governing the use of personal information by the private sector in Australia have worked in their first years of operation.

It has been a significant project for the Office and leadership team since lastAugust. The project team was headed by Robin McKenzie.

The report has drawn on information and views from a wide range of sources including individuals, businesses, industry organisations, interest groups, andgovernment agencies across the Commonwealth, and states and territories.

The review has benefited from discussions, consultations and material contained in submissions. I thank all those involved for contributing theirideas and views, and for the constructive way in which those views were conveyed.

I particularly thank the members of the Steering Committee and the Reference Group for their advice and guidance.

Many members of staff contributed in various ways – preparation of theIssues Paper, organising meetings for the Steering Committee and ReferenceGroup, organising public consultations, analysing submissions, developingpolicy options, putting submissions on the website, undertaking surveys,writing sections of the report, editing and formatting. The Corporate andPublic Affairs Section of the Office was involved in all aspects of the reviewprocess.

While I hesitate to single out individuals, it would be remiss if I did not acknowledge the major contributions of Robin McKenzie, Pauline Kearney,Paul Armstrong, Chris Cowper and Timothy Pilgrim. Suzanne Christian was responsible for the report compilation, formatting and editing.

To my staff, I express my gratitude for their contribution to this important review and I look forward to further improving the operation of the private sector provisions for the benefit of the community and business.

Karen Curtis

Privacy Commissioner

March 2005

Overview and Executive Summary

Approach to the review

Terms of reference

The Office has undertaken a review of the operation of the private sector provisions of the Privacy Act to see whether they meet their objectives. The objects are outlined in the terms of reference from the Attorney-General which are at Appendix 1.

Participants in the review

In the course of the review, information has been considered from a wide range of sources. They are:

136 written submissions

12 stakeholder workshops in all capital cities

the Review Steering Committee, which includes members of the PrivacyAdvisory Committee

the Review Reference group, which includes over 40 representatives fromcommunity, business and government

the Office’s Community Attitudes Research

research conducted by other stakeholders, for example, the National Health and Medical Research Council and the Australian Direct MarketingAssociation

statistics collected by this Office either specifically for this review, or fromits complaints management system

A wide range of stakeholders have participated in the review. They include major business and industry sectors, including banking, insurance, finance,private detectives and debt collection, credit reporting, marketing, fundraising,health and allied care, manufacturing, retail, small business, housing, realestate, superannuation, internet, hospitality and welfare. There has also beeninput from consumer and privacy advocacy groups including consumer, credit,health and academia. In addition, the Office has received input from state andfederal government agencies, including health, law enforcement agencies andother regulators, and also dispute resolution bodies.

Timing of the review

The private sector provisions have been in operation since 21 December2001, or just over three years for non-small business operators, and since21 December 2002, or just over two years for small businesses that do notqualify for the small business exemption. Given that implementing a privacyscheme, particularly for some sectors, involves complex attitude change andunderstanding rather than simply complying with clear, black letter law, this isa relatively short period of time to be assessing the operation of theprovisions.

In addition, it was not possible to conduct the kind of detailed quantitativeresearch that might give a clearer indication of the actual level of businesscompliance with its obligations under the scheme. Further, because thescheme is complaint based and the Office has only limited powers toinvestigate practices on its own initiative, it is possible that there are areas ofnon-compliance of which the Office is not aware. As a result, although theOffice has sought to gain and draw upon quantitative evidence to the extent itis possible and available, it is in the end relying to a considerable extent onanecdotal evidence as well as its own complaint statistics for its conclusions.

Provisions work well on balance

Overview

The review process shows that the private sector provisions have met withtheir objectives in some areas and not in others. In some areas it has failed tomeet with an objective, but in practice the impact may not have beensignificant. In others, objectives were met in a way quite different from thatenvisaged at the time the legislation was implemented. In some, theprovisions have not met the objective.

Indeed, it could be argued for example that the private sector provisions havenot met the two objectives of ‘a national scheme’ or ‘international concerns’.But this does not take away from the overall effect that the National PrivacyPrinciples (NPPs) have worked well and delivered to individuals protection ofpersonal and sensitive information in Australia in those areas covered by theAct.

No fundamental flaw

Although 85 recommendations have been made, this does not equate todissatisfaction with the provisions. Rather, it means with the benefit of threeyears experience it has become apparent there are ways to improve existingelements of the regime, and there are external influences which haveimpacted on the efficacy of the legislation.

Although there were a few calls from privacy advocates for the Government to‘go back to the drawing board’ entirely on the provisions, the Office has nosubstantive evidence to suggest that the private sector scheme has anysignificant flaws to warrant dramatic changes.

Provisions have generally worked well for business

The overall view from the business sector is that the scheme has worked wellfor them, and that there is considerable support for it as it currently stands.Generally speaking, it appears that in most areas, the scheme has met itsobjective of not unduly impeding the free flow of information, or the right ofbusiness to achieve their objectives in an efficient way.

Consumers are less satisfied

Generally speaking however, those representing the consumer and privacyadvocate groups were less satisfied that the private sector provisions had mettheir objectives of adequately providing for the privacy rights of individuals.

International concerns

One area where the private sector provisions have not met their objectives inthe way that was anticipated is the objective of meeting international concernsand Australia’s international obligations relating to privacy. It appears that thishas been less of a concern to many stakeholders than might have beenexpected at the time the provisions were enacted. A particular example ofthis is achieving European Union (EU) adequacy to enable businesses toengage in trade involving personal information with European businesses.

Despite the fact that the private sector provisions have not yet been foundadequate by the EU, in general, business does not report a major impedimentto trade. In addition, the issue of global trade beyond the EU has meant thatthe need to address consistency in privacy regulation at a global level hasbecome important. The APEC initiatives on privacy are evidence of this shift.

Approved NPP Codes

Another area where the objectives of the private sector provisions have notbeen achieved in the way that was anticipated is the adoption of industry andorganisation codes by the private sector to regulate their collection, use anddisclosure of personal information. There are only three approved codesunder the Privacy Act. However, there is no call for the repeal of the codeprovisions of the Act despite the very low level of take-up. Most businessesappear content to be regulated by the NPPs and to have the Office as theirexternal complaints handling body.

A single national scheme

There is significant inconsistency

There is evidence that the failure of the privacy sector provisions to meet theirobjective of achieving national consistency in privacy regulation has hadconsequences for business efficiency. There is also some evidence that thishas posed some impediments in the way of individuals seeking to be awareof, and have respected, their privacy rights. The inconsistency operates at anumber of levels, including within the Privacy Act itself, within Commonwealthregulation impacting on privacy, and between state and Commonwealthlegislation. The area of privacy involving health information, including healthresearch has been clearly identified as being greatly affected by all theselevels of inconsistency. Other areas affected include employee privacy andtenancy databases.

Reasons for the inconsistency

These inconsistencies have emerged for a number of reasons, some of whichrelate directly to the formulation of the private sector provisions. Others are aconsequence of the rapidly changing environment in which the provisions areoperating, and in particular, the heightened security concerns followingSeptember 11, and the developments in new technology.

One factor contributing to inconsistency is that within the Privacy Act, thereare two sets of slightly different privacy principles, one for the Australianpublic sector and one for the private sector. As the Government hasincreasingly drawn upon the private sector - for example, welfareorganisations - to carry out activities that were once performed by itsagencies, this has become more of an issue.

Another factor appears to be the presence of exemptions in the Act.Submissions and consultations suggest that areas of inconsistency are arisingbecause states and territories are legislating in areas covered by theexemptions. A key example of concern to business is the area of surveillancein the workplace. In the absence of privacy protection in this area in thefederal Privacy Act, states and territories are legislating and each in a slightlydifferent way.

There are also problem areas such as the regulation of tenancy databases bystates and territories. As the NPPs do not totally regulate tenancy databasesstates and territories are legislating in this area, once again, in a slightlydifferent way.

The desire for more detailed and binding guidance for health care providerstogether with inconsistency between private sector provisions and state publicsector privacy principles, could also be considered reasons for states tolegislate in the health area. Submissions from business and consumers, andconsultations indicate overwhelmingly that this has created a range ofdifferent rules that is confusing for health care providers, other businessesholding health information and consumers.

The Office’s complaints caseload that is larger than expected as a result ofthe private sector provisions has meant that the Office has not clarified theapplication of the NPPs in some of these areas (for example, tenancydatabases) as speedily as it would like. In the mean time, states have movedto address what was emerging as a community need to ensure that tenantswere not denied housing as a result of inaccurate and unfair listings.

Finally, rapidly changing technology has resulted in Commonwealth legislationthat is outside of, but overlaps with, the Privacy Act. The Spam Act 2003 isan example. Spam was less of a concern in 1999 when the private sectorprovisions were formulated and the private sector provisions did not addressthis issue. This situation may arise again with the (future) development ofnew pervasive technologies. Businesses are concerned to ensure that whenit does, the provisions fit well with the private sector provisions.

Approach to recommendations

This report makes a range of recommendations including strategies toaddress these inconsistencies. But as indicated by the complex factorscontributing to these, there is no easy or single fix, especially in a federalsystem of government. Resolving the issues will involve commitment from alllevels of government and a willingness to focus on the big picture.

One thing that became clear in conducting the review is that many of theissues that arise in relation to the operation of the private sector provisionsare inter-related. This inter-relation has to be taken into account inrecommendations. Recommendations on one aspect of operation will alsohave the potential to address issues on other aspects of operation.

It is also the case that there are a number of ways that issues arising out ofthe review could be addressed. Which approach is taken in one area, mayaffect what approach is best taken in other areas. For this reason, in anumber of areas, this report has made recommendations as options thatcould be taken up depending on the approach taken in addressing otherissues.

Resourcing implications of reform

In developing recommendations as part of this review, the Office has beenaware of the resource implications of reform. Since the implementation of theprivate sector provisions, the Office has shifted resources from its guidanceand advice role to its compliance role to try to better manage and resolve thecomplaints received. Even so, there is an unacceptably long waiting list ofcomplaints to be handled. This satisfies neither business, who have investedin compliance and in whose interest it is to have complaints against themsettled quickly, nor consumers.

Submissions from all sectors discuss funding for the Office[1]. A number ofsubmissions expressly support an increase in resources being granted to theOffice[2]. Many of these submissions are particularly concerned by the backlogof complaints and subsequent delay in resolving complaints[3].

There was also a general call for more resources to ensure consumers andbusinesses are educated about their rights and obligations under privacylaws.[4]

In this review recommendations are made that, if implemented, will impactupon the operation of the Office. This has implications in terms of resources,for both staff and program delivery.

Main recommendations

This report makes recommendations about how the operation of the privatesector provisions could be improved. Recommendations are primarily writtenas either actions that the Australian Government should consider doing, or asmeasures that the Office could or intends to undertake. A small number ofrecommendations involve measures that could be taken by state and territorygovernments.

Some recommendations involve broad high level principles around theoperation of the private sector provisions, for example, recommendations toimprove national consistency in privacy regulation, including health privacyregulation, and to ensure that the private sector provisions adequately protectprivacy in the face of rapidly developing new technologies.

Recommendations for measures to raise awareness of both consumers andbusiness on a range of topics are found in a number of places in the report.These particular recommendations could be regarded as forming the ‘lynchpin’ for a scheme that is intended to operate in a way that benefits individualswhile recognising the right of businesses to achieve their objectives in anefficient way.

Other recommendations aim to increase the control that individuals have overtheir personal information, particularly in relation to information collectedabout them indirectly or used or disclosed for other purposes such as directmarketing. These include measures to promote short form privacy notices,and a general opt-out right for direct marketing.

The report makes recommendations about the small business exemptionaimed at simplifying its application while suggesting that some sectors thathave higher privacy risks should be covered by the private sector provisions.

The report also makes recommendations aimed at improving thetransparency and fairness of the Office’s complaints process, and to enable itto better identify and address systemic issues.

Some issues raised are complex and need further consideration by theAustralian community. The Office identified the application of the privatesector provisions to research, in particular medical research, and to newtechnologies as warranting further debate. The main recommendations onthese issues are that they should be considered in the context of a widerreview of the Privacy Act.

In response to concerns that organisations need more guidance or that theNPPs may need amending to ensure that they are applied in a commonsenseway, recommendations are made on such matters as alternative disputeresolution schemes, access to health records and major national emergences.

The report makes a number of more technical recommendations that aim toincrease certainty about the application of the NPPs, which in many casesclarify what is already existing practice.

Throughout the report, but particularly in the recommendations, there hasbeen careful consideration of the balance between protecting individual rightswhile recognising the collective needs of the community including thebusiness community.

Finally, it became apparent that while the private sector provisions work well,it may be appropriate for the Government to undertake a wider review ofprivacy for Australians in the 21st century.

The NPPs are based on principles developed in the 1970s and it may befitting to consider how the operating environment has changed over the last30 years. For example: Is our definition of personal information stillappropriate given technological advances? Do we need different sets ofprivacy principles covering the private and public sectors? Should thelegislation make a distinction between data controllers and data operators?Should the legislation only cover protection of data about living persons? In achanged security environment what are people’s expectations about theirpersonal information?

In some of the 85 recommendations there is a reference to this wider reviewof privacy. Given that it is a recurring theme throughout the report to givemore considered thought to ‘bigger picture’ issues, a recommendation hasbeen made here in the Overview Section. It is the first recommendation listedbelow, and is followed by the recommendations as identified in each chapter.

Recommendations:

Recommendation: Wider review of Privacy Act

1. The Australian Government should consider undertaking a widerreview of privacy laws in Australia to ensure that in the 21st century thelegislation best serves the needs of Australia.

Recommendations: National consistency

The Privacy Act has not achieved its object of establishing a ‘singlecomprehensive national scheme’ for the protection of personal information.As submissions reveal, national consistency is important to business, tocharities and to individuals. The lack of national consistency contributessignificantly to the costs imposed on business.

2. The Australian Government should consider amending section 3 of thePrivacy Act to remove any ambiguity as to the regulatory intent of theprivate sector provisions.

3. The Australian Government should consider asking the Council ofAustralian Governments (COAG) to endorse national consistency in allprivacy related legislation.

4. The Australian Government should consider setting in placemechanisms to address inconsistencies that have come about, or willcome about, as a result of exemptions in the Privacy Act, for example,in the area of workplace surveillance.

5. The Australian Government should consider commissioning asystematic examination of both the IPPs and the NPPs with a view todeveloping a single set of principles that would apply to both AustralianGovernment agencies and private sector organisations. This wouldaddress the issues surrounding Australian Government contractors.

6. The Australian Government should consider changing, by legislativeamendment, the name of the Office of the Privacy Commissioner to theAustralian Privacy Commission.

7. The Australian Government should consider amending the Privacy Actto provide for a power to make binding codes.

Recommendations: Telecommunicationsconsistency

8. The Australian Government should consider amending the Privacy Actand the Telecommunications Act to clarify what constitutes authoriseduses and disclosures under the two Acts, and to ensure that thePrivacy Act cannot be used to lower the standard of privacy protectionin the Telecommunications Act.

9. The Australian Government should consider making regulations undersection 6E of the Privacy Act to ensure that the Privacy Act applies toall small businesses in the telecommunications sector, includingInternet Service Providers and Public Number Directory Producers.

10. The Office will discuss with the Australian Communications Authoritythe development of guidance to clarify the relationship between theprivate sector provisions of the Privacy Act and Part 13 of theTelecommunications Act.

11. The Office will discuss with the Australian Communications Authoritythe development of guidance to clarify the relationship between theprivate sector provisions of the Privacy Act and the Spam Act.

Recommendations: Health consistency

12. The Office urges the National Health Ministers’ Council to finalise theNational Health Privacy Code. This should include agreement by alljurisdictions on the contents of the code and on its consistentimplementation in each jurisdiction.

13. The Australian Government should consider adopting the NationalHealth Privacy Code as a schedule to the Privacy Act. This wouldrecognise the Australian Government’s part in the consistent enablingof the Code. Should agreement not be reached by all jurisdictionsabout implementing the Code, the Australian Government should stillconsider adopting the code as a schedule to the Act to provide greaterconsistency of regulation for the handling of health information byAustralian Government agencies and the private sector. (See alsorecommendations 29, 33 and 35.)

Recommendations: Residential tenancy databases

14. The Australian Government should advance as a high priority the workcurrently being undertaken by the Working Group on ResidentialTenancy Databases of the Ministerial Council on ConsumerAffairs/Standing Committee of Attorneys-General.

15. The Australian Government should consider, depending on theoutcome of the Ministerial Council on Consumer Affairs/StandingCommittee of Attorneys-General, making the Privacy Act apply to allresidential tenancy databases. This could be done by using theexisting power under section 6E to prescribe them by regulation, or byamending the consent provisions (section 6D(7) and section 6D(8))that apply to the small business exemption. (See recommendation 53.)

16. If the Privacy Act is amended to provide for a power to make a bindingcode, (see recommendation 7), and depending on the outcome of theMinisterial Council on Consumer Affairs/Standing Committee ofAttorneys-General, the Privacy Commissioner could make a bindingcode that applies to tenancy databases.

Recommendation: EU ‘adequacy’ and APEC

17. There is no evidence of a broad business push for ‘adequacy’. Giventhe increasing globalisation of information, however, there may be longterm benefits for Australia in achieving EU ‘adequacy’. Certainly theglobalisation of information makes the implementation of frameworkssuch as APEC important. The Australian Government should continueto work with the European Union on the ‘adequacy’ of the Privacy Actand to continue work within APEC to implement the APEC PrivacyFramework.

Recommendation: NPP 9

18. The Office will provide further guidance to assist organisations complywith NPP 9 by issuing an information sheet outlining the issues thatshould be addressed as part of a contractual agreement and how tomore easily assess whether a privacy regime is substantially similar.

Recommendations: Control over personalinformation

19. The Australian Government should consider amending NPP 5.1 toprovide for short form privacy notices. This could also clarify theobligations on organisations to provide notice, and to clarify the linksbetween NPP1.3 and NPP 5.1.

20. The Office will encourage the development of short form privacynotices. It will also play a more active role in assisting businessesdevelop their notices by developing template notices for differentsectors, in consultation with them, and by issuing example of bothsatisfactory and unsatisfactory notices

21. The Office will develop guidance to the effect that privacy noticesshould be dated.

22. The Office will develop guidance on bundled consent, noting thepossible tension between the desirability of short form privacy noticesand the desirability of lessening the incidence of bundled consent.

Recommendations: Direct marketing

23. The Australian Government should consider amending the Privacy Actto provide that consumers have a general right to opt-out of directmarketing approaches at any time. Organisations should be requiredto comply with the request within a specified time after receiving therequest.

24. The Australian Government should consider amending the Privacy Actto require organisations to take reasonable steps, on request, to advisean individual where it acquired the individual’s personal information.

25. The Australian Government should consider exploring options forestablishing a national ‘Do Not Contact’ register.

Recommendations: Consumer education

26. The Australian Government should consider specifically funding theOffice to undertake a systematic and comprehensive educationprogram to raise community awareness of privacy rights andobligations.

27. The Office will continue to collect demographic information aboutcomplainants. It will seek to identify and then remove any barriers thatprevent sectors of the community from knowing about and exercisingtheir privacy rights.

Recommendations: Access generally

28. The Australian Government should consider amending NPP 6 toprovide that when an individual’s personal information is corrected inresponse to a request from the individual, the organisation should beobliged to notify third parties, where practicable, that they havereceived the inaccurate information.

29. The Australian Government should consider adopting the AustralianHealth Ministers’ Advisory Council (AHMAC) Code as a schedule to thePrivacy Act (see recommendation 13). This will address the issue ofintermediaries, and the issue of fees for access. (See alsorecommendations 13, 33 and 35.)

30. The Office will develop further guidance on the operation of NPP 6.1 on‘serious threat to life or health’, explaining that a serious threat to atherapeutic relationship could be a serious threat to a person’s health.This will go some way towards addressing what appears to be a toonarrow interpretation of NPP 6.1(b) by some practitioners.

31. The Office will develop guidance on fees for access to personalinformation.

32. The Office will develop guidance on the meaning of NPP 6.5 whichrequires than an individual ‘establish’ that information is not accuratebefore the organisation need to take reasonable steps to correct it.

Recommendations: Transfer of health records

33. The Australian Government should consider adopting the AustralianHealth Ministers’ Advisory Council (AHMAC) code as a schedule to thePrivacy Act. This will address the issue of the transfer of health recordsto another health service provider. (See also recommendations 13, 29and 35.)

34. The Australian Government should consider, if the AHMAC Code is notadopted into the Privacy Act, amending the NPPs to include a newprinciple along the lines of National Health Privacy Principle 11 in theAHMAC Code.

Recommendations: Health service ceases tooperate

35. The Australian Government should consider adopting the AHMACcode as a schedule to the Privacy Act. This will address the issue ofaccess to health records when a health service ceases to operate.(See also recommendations 13, 29 and 33.)

36. The Australian Government should consider, if the AHMAC Code is notadopted into the Privacy Act, amending the NPPs to include a newprinciple along the lines of National Health Privacy Principle 10 in theAHMAC Code.

Recommendations: Complaints handling andcompliance

Approach to compliance

37. The Office will maintain its current approach to compliance includingthe focus on attempting to conciliate complaints in the first instance asset out in Information Sheet 13. However, the Office will considerwhether it might be appropriate in some circumstances to use its otherpowers earlier, such as the determination making power.

38. The Office will consider options for providing more feedback onsystemic issues either in advice or guidance or in some form of regularupdate to stakeholders.

39. The Office will consider promoting privacy audits by private sectororganisations, including by providing information on the value ofauditing as evidence of compliance in the event of complaints and bydeveloping and providing privacy audit training for organisations.

Review rights for complaint decisions

40. The Australian Government should consider amending the Privacy Actto give complainants and respondents a right to have the merits ofcomplaints decisions made by the Privacy Commissioner reviewed.

Fair and transparent complaint processes and resolution

41. The Australian Government should consider amending NationalPrivacy Principle 1.3 to require organisations to tell individuals howthey can complain to the organisation; and that, if the complaint is notresolved, they can also complain to the Privacy Commissioner or(where relevant) the code adjudicator.

42. The Office will review its complaints handling processes and willconsider the circumstances in which it might be appropriate to makegreater use of the Commissioner’s power to make determinationsunder section 52 of the Privacy Act.

43. The Office will also consider measures to increase the transparency ofits complaints processes and complaint outcomes.

Additional powers

44. The Australian Government should consider amending the Privacy Actto:

expand the remedies available following a determination undersection 52 to include giving the Privacy Commissioner power torequire a respondent to take steps to prevent future harm arisingfrom systemic issues

provide for enforceable remedies following own motioninvestigations where the Commissioner finds a breach of the NPPs

provide a power for the development of binding codes and/orbinding guidelines in cases where there is a strong public interest,where more detailed guidance is warranted or complaints revealrecurrent breaches (see recommendation 7).

Resourcing implications and complaint handling

45. The Australian Government should consider the strong calls by a widerange of stakeholders for the Office to be adequately resourced tomeet its complaint handling functions.

46. The Australian Government should consider amending the Privacy Actto give the Commissioner a further discretion not to investigatecomplaints where the harm to individuals is minimal and there is nopublic interest in pursuing the matter.

Recommendation: Approved privacy codes

47. The Office will review the Code Development Guidelines dealing withthe processes relating to code approval with a view to simplifying them.

Recommendations: Business awareness

48. The Australian Government should consider the benefits of greaterbusiness and community awareness of privacy and specifically fundthe Office to undertake a systematic and comprehensive educationprogram to raise business awareness.

50. The Office will develop strategies for communication with stakeholders,including establishing a privacy contact officer network for privatesector organisations.

Recommendations: Small business exemption

51. The Australian Government should consider retaining but modifying thesmall business exemption by amending the Privacy Act so that thedefinition of small business is to be expressed in terms of the ABSdefinition, currently 20 employees or fewer, rather than annualturnover.

52. The Attorney-General should consider using the power to prescribeunder section 6(E) of the Privacy Act, the tenancy databases andtelecommunications sectors including Internet Service Providers andPublic Number Directory Producers as businesses to be covered bythe Act. (See recommendations 9 and 15.)

53. The Australian Government should consider amending the Privacy Actto remove the consent provisions (sections 6D(7) and 6D(8)).

Recommendations: Private sector contracting

54. The Australian Government should consider amending NPP 4 toimpose an obligation on an organisation to ensure personal informationit discloses to a contractor is protected.

55. The Australian Government should consider, in the context of the widerreview of the Privacy Act, (see recommendation 1) whether thereshould be a distinction between data controllers and data operators.

56. The Office will amend the Guidelines to the National Privacy Principlesto clarify that businesses that give personal information to contractorsfor the purpose of performing a function on their behalf should imposecontractual obligations on the contractor to take reasonable steps toprotect the information.

Recommendation: Due diligence

57. The Australian Government should consider amending the NPPs totake into account the practice of due diligence.

Recommendations: Media exemption

58. The Australian Government should consider amending the Privacy Actso that:

• the Australian Broadcasting Authority (ABA) and media bodies mustconsult with the Privacy Commissioner when developing codes thatdeal with privacy and

• the term ‘in the course of journalism’ is defined and the term ‘mediaorganisation’ is clarified.

59. The Office will, in conjunction with the ABA, provide greater guidanceto media organisations as to appropriate levels of privacy protection,especially in relation to health issues, and make organisations awarethat the media exemption is not a blanket exemption.

Recommendations: Research

60. As part of a broader inquiry into the Privacy Act (see recommendation1), the Australian Government should consider:

how to achieve greater consistency in regulating research activitiesunder the Privacy Act

whether regulatory reform is needed to address the issue ofde-identification in the context of research and the handling ofhealth information

where the balance lies between the public interest incomprehensive research that provides overall benefits to thecommunity, and the public interest in protecting individuals’ privacy(including individuals having choices about the use of theirinformation for such research purposes)

whether there is a need to amend NPP 2 to permit the use anddisclosure of personal information for research that does not involvehealth information

undertaking further research and education work with the broadercommunity to ensure that the balance between research andprivacy accords with what the community expects and understands.

61. The Office will issue guidance in relation to NPP 2 to clarify thatorganisations can disclose health information for the management,funding and monitoring of a health service.

62. The Office will work with the National Health and Medical ResearchCouncil to simplify the reporting process for human research ethicscommittees under the section 95A guidelines.

Recommendations: Decision-making wherecapacity is impaired

63. The Australian Government should consider, in order to ensure that thePrivacy Act does not prevent individuals with a decision-makingdisability from receiving a range of utilities and other services,amending NPP 2 to permit the disclosure of non-health information to aclass of persons the same, or similar, to that described in NPP 2.5,where an organisation considers the disclosure to be necessary for themanagement of the person’s affairs in a way that their financial or otherinterests are secured or safeguarded.

It would be appropriate to consider developing such an amendment inconsultation with the Australian Guardianship and AdministrationCommittee.

64. The Office will, in recognition that disclosures of health informationunder NPP 2 are appropriately permitted in law but may not occur inpractice, develop further and more practical guidance.

Recommendation: Law enforcement

65. The Office will work with the law enforcement community, privatesector bodies and community representatives to develop more practicalguidance to assist private sector organisations to better understandtheir obligations under the Privacy Act in the context of lawenforcement activities.

Recommendation: Private investigations

66. The Australian Government, through the Attorney-General, shouldconsider requesting that the Standing Committee of Attorneys General(SCAG) consider the issues raised by the Australian Institute of PrivateDetectives as they are broader than the Privacy Act.

Recommendations: Alternative dispute resolutionschemes

67. The Australian Government, in recognising the important role played byAlternative Dispute Resolution (ADR) schemes, and in an attempt toformalise advice already given by the Office, should consider:

amending NPP 2 to enable use and disclosure of personalinformation to ADR schemes in the course of handling disputes

amending NPP 10 to enable collection of sensitive informationwhere it is necessary for the investigation and resolution of claimsunder an ADR scheme

defining the term ‘Alternative Dispute Resolution Scheme’ for thesepurposes in the Act.

Recommendations: Large scale emergencies

68. Privacy laws should take a common sense approach. There needs tobe an appropriate balance between the desirability of having a flow ofinformation and protecting individual’s right to privacy. In developingan exception to disclosure for cases of national emergencies,consideration should be given to the seriousness of the privacy breachversus that of protecting privacy.

In large scale emergencies, the consequences of disclosure should becompared to the consequences of non-disclosure. Consideration alsoneeds to be given to the potential identity fraud that may occur duringsuch a time, especially if disclosure is allowed to the media.

The Australian Government should consider:

amending NPP 2 to enable disclosure of personal information intimes of national emergency to a ‘person responsible’

extending the NPP 2.5 definition of ‘person responsible’ to include aperson nominated by the family to act on behalf of the family

amending the Privacy Act to enable the Privacy Commissioner tomake a Temporary Public Interest Determination without requiringan application from an organisation

defining ‘National Emergency’ as ‘incidents’ determined by theMinister under section 23YUF of the Crimes Act 1914.

Recommendations: New technologies

69. The Australian Government should consider, in the context of a widerreview of the Privacy Act (see recommendation 1) reviewing theNational Privacy Principles and the definition of personal information toassess whether they remain relevant in the light of technologicaldevelopments since the OECD principles were developed. This shouldensure that the private sector provisions remain technologically neutraland relevant to protect data privacy in the main contexts in whichinformation about people is currently collected, used and disclosed.

70. The Australian Government should consider initiating discussionsthrough appropriate international forums about how to deal with majorinternational jurisdictional issues arising from global reach of newtechnologies such as Voice over Internet Protocol (VoIP).

71. The Australian Government should consider developing specificenabling legislation to underpin any national electronic health recordssystem. The legislation should be consistent with the National HealthPrivacy Code, but also include enhancing protections for matters suchas the voluntariness of the system and limitations upon the uses ofpeople’s health records.

72. The Office will issue further guidance, consistent with the current law,on what is personal information which takes into account the fact that inthe current environment it is more difficult to assume that anyinformation about people cannot be connected.

73. The Office could use, if necessary, any new powers to develop bindingcodes (see recommendation 7) to deal with technologically specificsituations.

Recommendation: NPP 1.3(d)

74. The Australian Government should consider amending NPP 1.3(d) tomake clear that an organisation collecting personal information from anindividual must take reasonable steps to notify them of likelydisclosures generally, including to public sector agencies of theAustralian Government, state or local governments, other bodies andprivate individuals.

Recommendation: Reasonable steps for NPP 1.3 and1.5

75. The Australian Government should consider amending NPP 1.3 andNPP 1.5 to make clear that there are situations in which the reasonablesteps an organisation might take to provide notice to an individual mayequate to no steps.

Recommendation: NPP 1.5 – ‘Someone’

76. The Australian Government should consider amending NPP 1.5 toremove the term ‘someone’, and to make clear that an organisation hasan obligation to take reasonable steps to provide notice to an individualwhen collecting their personal information indirectly, from any source.

Recommendations: Primary purpose and healthinformation

77. The Office will work with the health sector to develop further guidanceabout the operation of NPP 2 as it specifically relates to the issue ofprimary and secondary purpose in health care.

78. The Office will provide clearer guidance on the operation of NPP 2 togive more effective and practical assistance to demonstrate how theprinciple operates. This will take into account the range ofrelationships between health services and individuals, particularlywhere individuals agree to a holistic approach to the delivery of ahealth service.

Recommendation: NPP 3 – Data quality

79. The Office will provide further guidance to organisations about theirobligations under NPP 3, particularly to ensure they take a proportionalapproach to complying with the principle. This will include guidanceabout organisations taking into account whether or not there are goodprivacy reasons for seeking to update an individual’s personalinformation.

Recommendation: NPP 7 - Identifiers

80. The Australian Government should consider using the existingregulation-making mechanism under NPP 7 to address circumstancessuch as those identified by Centrelink regarding concessionalentitlements.

Recommendations: NPP 10 – Public InterestDeterminations

81. The Australian Government should consider amending NPP 10 toinclude an exception that mirrors the operation of Public InterestDeterminations 9 and 9A.

82. The Australian Government should consider undertaking consultationon limited exceptions or variations to the collection of family, social andmedical history information, particularly with regard to geneticinformation and the collection practices of the insurance industry.

Recommendations: NPP 10.2(b)

83. The Australian Government should consider amending NPP 10.2 topermit the collection of health information (under NPP 10.2(b)(i)) ‘asauthorised by law’ in addition to ‘as required by law’.

84. The Australian Government should consider amending NPP 10.2(b) (ii)to clarify the nature of the binding rules intended to be covered by thisprovision, particularly with regard to the substantive content of suchrules.

Recommendations: Deceased persons

85. If the National Health Privacy Code is adopted into the Privacy Act (seerecommendation 13), then protection for health information under theseprovisions would extend to deceased persons. Also, the AustralianGovernment’s response to the Australian Law Reform Commission andthe Australian Health Ethics Committee’s inquiry into the protection of human genetic information in Australia may have implications for thePrivacy Act. In addition, the Australian Government should consider aspart of a wider review (recommendation 1) whether the jurisdiction ofthe Privacy Act should be extended to cover the personal informationof deceased persons.

1. Background

1.1 This Inquiry

Background to the review

The Review of the Privacy Act was foreshadowed by the former Attorney-General the Hon Daryl Williams AM QC MP in his second reading speech forthe Privacy Amendment (Private Sector) Act 2000. The Commissioner wasasked to review the operation of the private sector provisions of the Act by theAttorney-General, the Hon Philip Ruddock MP, on 13 August 2004.

Terms of Reference

The Office conducted the review within the terms of reference outlined by theAttorney-General. They are included in full at Appendix 1 of this report. Theyprovide for an assessment of the operation of the private sector provisionsand a consideration of the extent to which the private sector provisions meettheir objects. These objects include creating a single comprehensive nationalscheme for the appropriate handling of an individual’s personal information byorganisations, in a way that:

meets international concerns and obligations relating to privacy

recognises individuals’ interests in protecting privacy and

recognises important human rights and social interests that compete withprivacy, including the general desirability of the free flow of information(through the media and otherwise) and the right of business to achieve itsobjectives efficiently.

Matters not included in the review

electoral roll information and the related exemption of politicalorganisations from the Privacy Act.

The terms of reference state that these areas are currently, or have recentlybeen subject to processes of review.

The terms also mean that Part IIIA of the Privacy Act, which deals with creditreporting has not been reviewed. However the credit reporting provisionswhere relevant to the operation of the private sector provisions have beenconsidered.

Other relevant privacy related reviews and processes

There are a number of processes underway that touch on privacy in someway. For example, initiatives to develop a national health code (AustralianHealth Ministers’ Advisory Council (AHMAC) process) and the review ofprivacy protection for employee records. In developing the recommendationsin this report, the Office has taken into account, where appropriate, the workbeing done in these areas.

Research

To help inform the review work, including submissions to the review, theOffice conducted research into community attitudes towards privacy in April2004. This complements research it conducted in July 2001 into attitudestowards privacy in the spheres of government, business and the community.This Community Attitudes Research can be found on the Office’s website.The results of the 2004 research are summarised at Appendix 6 and the fullreport is to be found on the Office’s web site.

Framework for assessing issues

The terms of reference ask the Privacy Commissioner to consider the degreeto which the private sector provisions meet their objects. The Office used thisframework for assessing the provisions. This involved considering thefollowing issues.

1. Do the provisions provide a comprehensive, national, consistent set ofstandards for privacy? Do they fit seamlessly into the Privacy Act? Dothey relate effectively with other federal privacy provisions, the privacylaws of the States and Territories and other relevant federal law?

2. Do the provisions operate in a way that assists Australian businesses tooperate internationally? Are they adequate to ensure Australia fulfils itsinternational obligations relating to privacy?

3. Are individuals confident that their interests in protecting their privacy arerecognised and that personal information that is collected, used, storedand disclosed by organisations is adequately protected? Are individualsaware of, and able to exercise, their rights?

4. Do the provisions strike an appropriate balance between privacy andcompeting human rights and social interests, including free speech,medical research, national security, law enforcement and property rights?Is there a free flow of information? Is business aware of its obligations andable to comply with them while still achieving its objectives efficiently?

Conduct of the review- overview of consultation

The Privacy Commissioner received the terms of reference from the Attorney-General on the 13 August 2004. The review of the private sector provisionswas completed by 31 March 2005. The Privacy Commissioner encouragedwidespread public participation in the review through a number of measures.The Office:

made three media releases in August, September and October advertisingthe review, asking organisations and individuals to give their views aboutthe operation of the private sector provisions and informing the publicabout key dates in the conduct of the review

contacted stakeholders listed on the Office’s contacts database andnetwork list via e-mail about the review requesting submissions andpromoting the public consultation forums. The Office made follow upphone calls to stakeholders preceding their local public consultation forum.

circulated an e-mail notification about the review through relevant industryand government networks

gave a number of presentations to industry forums and nationalconferences

conducted a number of private meetings with stakeholders at their requestregarding the review and the operation of the private sector provisions ofthe Act.

The Commissioner appointed a steering committee to assist with and adviseon the conduct of the review. The Steering Committee members were:

The Steering Committee met on five separate occasions throughout theprocess to discuss the conduct of the review.

The Commissioner also reconvened the core consultative group which hadbeen formed by the Attorney-General in 1998 to advise on the development ofthe private sector provisions. The group, reconvened by the Commissionerand renamed the Review Reference Group, consisted of approximately 40representatives from consumers groups, industry and government who havebeen affected by the operation of the Act. Approximately half of thereconvened group were part of the original group that advised on theintroduction of the private sector provisions. The Review Reference Groupwas consulted regarding the conduct of the review, the issues contained inthe issues paper, and the options for reform. The list of members is availableat Appendix 2.

Issues Paper

To assist stakeholders to make submissions the Commissioner released anissues paper on 27 October 2004.

The issues paper sought to provide a framework for assessing the extent towhich the private sector provisions met their objectives as defined in the termsof reference. The issues paper closely followed the terms of reference andsought to help stakeholders assess whether the provisions meet internationalconcerns and Australia’s obligations relating to privacy. It raised issues aboutwhether the legislation provides appropriate protection of individuals’ privacywhile allowing a balance to be struck with competing human rights and socialinterests including the desirability of a free flow of information and the right ofbusiness to achieve its objectives efficiently.

Consultation Meetings

The Office organised consultation meetings in all of the capital cities during2004. Meetings were held in:

Adelaide on 4 November

Perth on 11 November

Hobart on 17 November

Melbourne on 18 November

Sydney on 22 November

Darwin on 25 November

Brisbane on 30 November

Canberra on 8 December

There were also health forums held in Perth on 11 November, Melbourne on18 November and Darwin on 25 November. In addition, atelecommunications forum was convened in Melbourne on 19 November2004.

At each meeting the Commissioner or a representative of the Office led thediscussion using a presentation which can be found on the Office’s website.

The consultation forums were attended by a wide range of participants fromdiverse industry sectors including the finance sector, direct marketing, creditreporting, debt collection, law firms, law societies, telecommunications, retail,real estate, fundraising and the health sector including, doctors, researchersand pharmacists, and the community sector including consumer and publicinterest advocates, community legal and tenancy advice centres and unionrepresentatives.

Issues raised in theses forums have been incorporated throughout this report.

Written Submissions

The Commissioner encouraged stakeholders to make written submissions toaid the Review. In all the Review received 136 written submissions (seeAppendix 3) ranging in length and style from individuals, organisations,industry bodies, advocacy groups and government agencies. Of these, 20submissions requested to remain confidential. These submissions can befound on the Office’s website.

Structure of report

The structure of this Report reflects the Terms of Reference received from theAttorney-General.

Chapter 1 gives background to the inquiry and an overview of the privatesector provisions of the Privacy Act.

Chapter 2 examines the degree to which the private sector provisionsestablish national consistency in the way private sector organisations collect,hold, use, correct, disclose and transfer personal information.

Chapter 6 considers how effectively the private sector provisions balance anindividual’s right to privacy with other competing social interests such asbusiness efficiency and the desirability of a free flow of information.

Chapter 7 considers other social interests that compete with privacy andwhether the private sector provisions have achieved the appropriate balance.

Chapter 8 looks at developments in new technologies.

Chapter 9 looks at whether any NPPs not addressed elsewhere in the reportmay need to be amended to create greater certainty in their interpretation.

Chapter 10 covers other issues that arise in relation to the private sectorprovisions.

1.2 Private Sector Provisions of the PrivacyAct

History of Commonwealth Privacy Legislation

Commonwealth agencies

The Privacy Act was enacted in 1988. It provides for the Office of the PrivacyCommissioner and a Privacy Commissioner and lists 11 principles governingthe collection, use, storage, access to, maintenance and disclosure of anindividual’s personal information. These Information Privacy Principles (IPPs)apply to personal information held by Australian Government agencies. Since1994, the IPPs have also applied to Australian Capital Territory (ACT)agencies.

Tax file numbers and credit reporting

The Privacy Act also provides for the Commissioner to issue tax file numberguidelines and to investigate acts or practices of tax file number recipientsthat breach these guidelines.

In 1990, the Privacy Act was amended to regulate the handling of creditreports and other credit worthiness information about individuals held by creditreporting agencies and credit providers[5].

Private sector

Voluntary principles

In February 1998, following extensive consultation, the Privacy Commissionerissued the National Principles for the Fair Handling of Personal Information(the National Principles), compliance with which was voluntary. This waspartly in response to a directive on information privacy adopted in October1995 by the European Parliament and the Council of the European Union(EU) which included a provision that personal data could not be transferredfrom an EU country to a non-EU country unless there was an adequate levelof information privacy.

Privacy Amendment (Private Sector) Act 2000

In late 1998, the Government announced its intention to legislate to supportand strengthen privacy protection in the private sector. After widespreadconsultation the Privacy Amendment (Private Sector) Act 2000 was passed inDecember 2000 with a commencement date of 21 December 2001. It aimedto establish a single comprehensive national scheme governing the collection,holding, use, correction, disclosure and transfer of personal information byprivate sector organisations. It did so by means of the National PrivacyPrinciples (NPPs) and provisions allowing organisations to adopt approvedprivacy codes.

Co-regulation

The approach adopted by the legislation was one of co-regulation. This refersto a legislative framework within which self regulatory codes of practice canbe given official recognition[6]. The aim of the legislation was ‘to encourageprivate sector organisations and industries which handle personal informationto develop privacy codes of practice’[7]. In the absence of a code, the NPPswould apply. This co-regulation aimed to ensure consistency andstandardisation of personal information handling[8].

Balancing rights and obligations

The legislation acknowledges that privacy is not an absolute right and that anindividual’s right to protect his or her privacy must be balanced against arange of other community and business interests. These include the generaldesirability of a free flow of information (through the media and otherwise) andthe right of business to achieve its objectives efficiently. The legislation seeksto achieve the appropriate balance by providing for, among other things, anumber of exemptions from the legislative requirements, including most smallbusinesses.

Key drivers for private sector provisions

The Explanatory Memorandum for the private sector provisions outlinedconcerns raised in consultations on the absence of privacy protection thatself-regulation had not resolved. It said:

‘These concerns include

the potential for barriers to international trade for business

the lack of protection afforded to the consumer

the effects on the take-up of electronic commerce resulting from lack ofprotection to consumers

the lack of comprehensive coverage of business

the possibility that some States and Territories will impose stricter controls,which may result in inconsistencies between jurisdictions’[9].

Another factor underpinning the legislation was the International Covenant onCivil and Political Rights (ICCPR) that Australia had ratified. This providesthat individuals shall not be subjected to arbitrary or unlawful interference withtheir privacy and that they have the right to the protection of the law againstsuch interference or attacks[10].

2004 amendments to the legislation

Amendments to the legislation in April 2004[11]make it clear that the protectionprovided by NPP 9, which regulates transborder data flows, applies equally tothe personal information of individuals who are Australian and those who arenot. They remove the nationality and residency limitations on the power of thePrivacy Commissioner to investigate complaints relating to the correction ofpersonal information. They also give businesses and industries moreflexibility in developing privacy codes by allowing the codes to cover otherwiseexempt acts and practices where the authors of the code wish to do so.

What do the Private Sector Provisions cover?

Purpose

The private sector provisions of the Privacy Act give individuals control overthe way personal information about them is handled by private sectororganisations. They regulate the way many private sector organisationscollect, use, keep secure and disclose personal information. They also giveindividuals a right to know what information an organisation holds about themand a right to correct it if it is wrong.

Who is covered?

The provisions apply to organisations, including corporations andunincorporated associations, with an annual turnover of more than $3 million.They also apply, regardless of annual turnover, to all private sector healthservice providers, to organisations that buy and sell information without theindividual’s consent, and contracted Commonwealth service providers inrelation to their contractual activities[12]. Specified acts and practices oforganisations are exempt from the operation of the Privacy Act. Theseinclude in general terms acts or practices:

done by an individual other than in the course of the individual’s business,for example, in the course of his or her personal, family or householdaffairs[13]

that are related to an employee record and directly related to theemployment relationship[14]

done in the course of journalism by a media organisation that is publiclycommitted to observing published privacy standards[15]and

done by a politician or political organisation, and their contractors,subcontractors and volunteers, in relation to electoral matters[16].

What obligations are imposed?

In general terms, a private sector organisation covered by the Act must not doanything that breaches an approved code binding on it. If not bound by anapproved code, it must not do anything that breaches an NPP.

National Privacy Principles

The NPPs govern the collection, use and disclosure, security, quality andaccess to and correction of personal information. They include principlesapplicable to the use and disclosure of personal information for specificpurposes, including:

direct marketing

in the case of health information, research or statistical compilation oranalysis relevant to public health or public safety

protection of health and safety and

law enforcement.

The general principle that a person should have access to informationorganisations hold about them includes exceptions, such as exceptions basedon health and safety, law enforcement and national security. Specialprovisions apply to sensitive information, including information about anindividual’s racial or ethnic origin, membership of political or professional ortrade associations, religious beliefs and so on. Generally speaking, a higherlevel of protection is afforded sensitive information than personal information.

Advice and guidance

The Office plays an active role in raising awareness about individuals’ privacyrights and in addressing providing advice to business about its obligations. Itprovides information by way of its information hotline and its web site. Theweb site contains all the Office’s publications, answers to Frequently AskedQuestions, media comments, media releases, speeches, case notes, anonline complaint checker, multi-lingual web pages, guidelines, informationsheets, brochures and the annual report. Members of the Office also makespeeches and presentations at a range of events.

Approved Codes

The Act provides for the approval of privacy codes by the Commissioner. Tobe approved a code must:

set out obligations that, overall, are at least the equivalent of all theobligations set out in the NPPs

specify which organisations are bound by the code

bind only organisations that consent to be bound and

if the code includes procedures for dealing with complaints, theprocedures must meet specified standards.

In addition, members of the public must have been given adequateopportunity to comment on a draft of the code[17]. The Commissioner mustkeep a register of approved privacy codes[18].

Complaints

An individual may complain to the Commissioner about an interference withhis or her privacy, unless an approved code applies and the code has its owncode adjudicator. The Commissioner is required to investigate complaints,unless it is appropriate to exercise one of the discretions not to investigate,including for example, if the individual has not first complained to theorganisation in question. If the complaint is upheld, the Commissioner maymake a determination that the organisation should not repeat the conductcomplained about.

2 National Consistency

2.1 National consistency overall

National consistency was goal of legislation

In introducing the private sector provisions of the Privacy Act, the thenAttorney-General, the Hon Daryl Williams AM QC MP, noted that althoughsome Australian businesses had already established privacy codes of practicethis was not being done consistently. By contrast, the private sectoramendments provide ‘a national, consistent and clear set of standards toencourage and support good privacy practices’. It was the Government’sintention:

‘to establish a single national comprehensive scheme for the protectionof personal information by the private sector. However, state andterritory laws would continue to operate to the extent that they are notdirectly inconsistent with the terms of the bill’[19].

Issues

The issues paper suggested a number of topics for submissions related tonational consistency. It asked:

whether national consistency was important and whether or not it wasbeing achieved

about areas of overlap, including overlap between the private sectorprovisions and other laws or regulatory schemes and jurisdictional overlap

about lack of clarity as a possible issue and

about areas that are unregulated or under-regulated by the private sectorprovisions or other laws, and areas that are over-regulated.The issues paper also suggested a number of topics for submission focussedon the Privacy Act itself. It asked about:

issues arising from differences between the NPPs and IPPs

the workability of the Australian Government contractor provisions,especially for contractors that would otherwise be exempt as a smallbusiness, and whether they could be improved

the interaction between the private sector provisions and the otherprovisions of the Act, and between the NPPs and Part IIIA of the Act and

how the identified issues could be addressed.

Finally, the issues paper addressed the issue of new developments intechnology. This is addressed in Chapter 8.

Other law impacting on privacy

Other provisions of the Privacy Act

Public and private sector provisions integrated

The private sector provisions were enacted as an amendment to the existingPrivacy Act 1988. It was intended that the NPPs would operate alongside thepre-existing provisions of the Act, including the IPPs, which apply to publicsector agencies, and the provisions regulating credit reporting (largelycontained in Part IIIA of the Act). Although the NPPs are similar to the IPPs,there are differences. Unlike the IPPs, the NPPs include specific provisionsabout the transfer of data overseas (NPP 9), and the NPPs provide moreprotection to defined types of ‘sensitive personal information’, including healthinformation. The NPPs and the IPPs are included at Appendices 4 and 5respectively.

Interaction of private sector provisions with other provisions

There are circumstances when an organisation might be subject to both theNPPs and the IPPs. An Australian Government contractor, for example, maybe bound to comply with the NPPs, and will also be bound by contract tocomply with the IPPs. Some government enterprises are, for the purposes ofthe Privacy Act, both an ‘agency’ (in relation to their non-commercialactivities) and an ‘organisation’ (in relation to their commercial activities).Similarly, credit providers and credit reporting agencies will generally be an‘organisation’ for the purposes of the private sector provisions and will bebound by the NPPs as well as the provisions of Part IIIA of the Act whichimpose specific obligations on them.

Other Commonwealth legislation

Overview

A number of pieces of Commonwealth legislation impose obligations onorganisations that may have an impact on how those organisations complywith their obligations under the Privacy Act. This legislation is administered byvarious Australian Government agencies.

Misleading and deceptive conduct

Section 52 of the Trade Practices Act 1974, administered by the AustralianCompetition and Consumer Commission (ACCC), provides that a corporationshall not, in trade or commerce, engage in conduct that is misleading ordeceptive, or is likely to mislead or deceive. This may influence the way inwhich an organisation complies with NPP obligations such as making peopleaware it has collected their personal information, openness and givingreasons for denying access or refusing to correct personal information. Asimilar provision in the Australian Securities and Investments Commission Act2001 (ASIC Act), administered by the Australian Securities and InvestmentsCommission (ASIC), section 12D, applies to financial services.

Telecommunications

The Telecommunications Act 1997, administered by the AustralianCommunications Authority (ACA), includes provisions relating to privacy. TheTelecommunications (Interception) Act 1979 makes it an offence to interceptcommunications and specifies the circumstances in which interception maylawfully take place. The Spam Act 2003 establishes a scheme for regulatingcommercial email and other types of commercial electronic messages. This isdiscussed in more detail later in this chapter at 2.3.

Other

Other relevant Commonwealth legislation includes the Corporations Act 2001,which limits use or disclosure of information on company shareholderregisters (section 177), and the Commonwealth Electoral Act 1918, whichregulates access to, and use and disclosure of, electoral roll information. TheAustralian Broadcasting Authority (ABA) may investigate complaints alleging abreach of broadcasting industry codes, some of which include provisionsintended to protect individual privacy, or practice[20].

State and territory legislation

New South Wales, Victoria, the Australian Capital Territory and the NorthernTerritory have privacy legislation that covers all or part of their own publicsectors. In Tasmania, similar legislation commences on 1 July 2005. Otherjurisdictions have administrative arrangements which seek to establishappropriate information handling practices. Queensland has established twostandards for privacy regulation in its public sector on an administrative basis.In South Australia, an administrative instruction applies to governmentagencies and a Code of Fair Information Practice, based on the NPPs,applies to all personal information handled by the Department of HumanServices and its agencies. The Western Australian public sector does notcurrently have a legislative privacy regime.

Each jurisdiction’s scheme is slightly different and so are the principles onwhich they are based. In addition, New South Wales and Victoria have healthprivacy legislation that regulates the handling of personal information in theirpublic sectors and the private sector. They contain similar, though notidentical, principles to the NPPs. The Australian Capital Territory haslegislation, that predated the NPPs, covering health service providers in thepublic and private sector. The Australian Health Ministers’ Advisory Council(AHMAC) is currently working towards a National Health Privacy Code, whichmay be one way of achieving national consistency for the handling of personalhealth information.

Other law

Other obligations overlap with responsibilities imposed on organisations bythe Privacy Act. They include:

Self regulatory mechanisms

A number of industry organisations developed their own codes.

Telecommunications.The Australian Communications Industry Forum(ACIF) has developed a number of industry codes and guidelines, some ofwhich deal with matters relating to the handling of personal information.

Direct Marketing. The Australian Direct Marketing Association (ADMA) hasdeveloped a model code, which includes the NPPs and a reference to theNPP Guidelines. It enforces the code against its members.

E-marketing.Following passage of the Spam Act, the Australian eMarketingCode of Practice was registered under Part 6 of the Telecommunications Act.

Submissions favour national consistency

Submissions overwhelmingly support the goal of national consistency.Business generally, and the finance and retail industries in particular, thinkthat national consistency is important.

Members of the Australian Finance Conference (63) support theGovernment’s object of achieving a single comprehensive scheme forhandling personal information and it continues to remain important for them.It remains relevant and important to the Australian Bankers’ Association (70).It is ‘essential’ for the financial planning industry says the Financial PlanningAssociation (85). In the view of the Australian Association of PermanentBuilding Societies (91), it is ‘imperative’ for there to be a single nationallyconsistent scheme.

The charity sector agrees. Fundraising Institute Australia Ltd (52) argues thatnational consistency is important in ensuring compliance and reports that itsmembers advise that consistency would improve their capacity to undertaketheir work as fundraisers.

Consumers also agree. The Consumers’ Federation of Australia (65), forexample, says national consistency is essential for privacy protection forconsumers in Australia. The Australian Consumers’ Association (15):

‘endorses the goal of a single, comprehensive, nationally consistentscheme for privacy protection in Australia. Such consistency makesthe task of compliance by industry easier and cheaper. It facilitateseducation.’

On the other hand, in stakeholder forums, consumer groups made the pointthat they do not want national consistency at the cost of reducing privacyprotection to the lowest common denominator.

The health sector, including the private hospital sector, professionalorganisations and public sector bodies like the Health ServicesCommissioner, Victoria (27), say there should be nationally consistent healthstandards. The Royal District Nursing Service (78) says national consistencyis ‘vital’.

Objective has not been achieved

Despite the almost universal support for consistency, the objective has notbeen achieved in the view of very many submissions. Business andconsumers agree that the objective has not been met. The AustralianConsumers’ Association (15), the National Health and Medical ResearchCouncil (32), Promina (34), the Consumers’ Federation of Australia (65) andthe Australian Health Insurance Association Ltd (76), for example, all agreethe objective has not been achieved.

The Australian Chamber of Commerce and Industry (22) says there is ageneral trend towards ‘fragmentation’, which has ‘adverse consequences interms of magnified compliance burdens, administrative duplication andoverlap between the separate regimes’.

Submissions from business and consumer organisations describe anemergence of a ‘patchwork’ of federal and state and territory legislation,driven by, according to the Consumers Federation of Australia (65):

‘divisions by public and private sectors of the economy, state andfederal levels of government, specific economic sectors (such ashealth), emerging technologies [and] gaps embodied in the federallegislation’.

Telstra (110) identifies state and territory legislation which contracted serviceproviders must comply with and says that:

‘the proliferation of State-based legislation and inconsistency betweenState-based and Commonwealth legislation has the potential to addcosts to conducting business with Government agencies’.

The Australian Retailers Association (111) describes recently introduced (orabout to be introduced) state legislation as ‘designed to subvert the authorityof the Federal Privacy Commissioner and create a complicated complianceregime for business.’

ANZ (40) is concerned that Australia will end up with differing laws amongstates that will confuse customers and increase compliance costs. TheInsurance Council of Australia (59) describes privacy law as a ‘patchwork’, asdoes the Australian Bankers’ Association (70). The AustralianCommunications Authority (94) says there are gaps, overlap and jurisdictionalconfusion.

Coles Myer (60), concerned about the introduction of workplace surveillancelegislation by the states, says that:

‘as with any other area of regulation (eg tax) any exemptions orpossible inconsistencies provide an opportunity for the States andTerritories to impose their own requirements’.

What submissions say - issues

State and territory laws are inconsistent with the Privacy Act

Overview

One of the consequences of the lack of national consistency in the wayprivacy is regulated is that organisations may be subject to inconsistent laws.There are inconsistencies between the Privacy Act and some state andterritory legislation. Submissions identify a number of examples of this.

Health services

Health services provided by the private sector are subject to the Privacy Act.They may also be subject to state and territory health records legislationwhich may not be consistent with the Privacy Act. This is discussed in detaillater in this chapter at 2.5.

Welfare organisations

Welfare organisations administer programs that are government funded. Theymay be funded by both the Australian Government and a state or territory. Acharitable organisation (11) points out that in administering its EmploymentServices and Community Services programs it may have to comply with theNPPs, the IPPs, department procedural requirements and state or territorylaw. Furthermore, as their Community Services contracts are often negotiatedon an individual program basis, the responsibility for interpreting thecontractual provisions will fall on local management. The issue is furthercomplicated by the fact that the organisation may need to collect healthinformation as well, which is subject to state or territory health recordslegislation.

Tenancy databases

The Real Estate Institute of Australia (13) identifies legislation relating totenancy databases as an example of lack of consistency between federal andstate and territory legislation. Its submission to the working group of theMinisterial Council of Consumer Affairs advocated that a nationally consistentframework should be developed for the operation of tenancy databases. Inthe meantime, Queensland and New South Wales have their own legislationand the Australian Capital Territory is considering it.

Occupational health and safety

St John Ambulance Australia (97) identifies an inconsistency between thePrivacy Act and occupational health and safety legislation in the context ofreporting casualties at events.

Commonwealth laws are complex

Telecommunications

Submissions have drawn attention to inconsistencies between the Privacy Actand other Commonwealth legislation, for example, between Part 13 of theTelecommunications Act and the Privacy Act in relation to disclosure ofcustomer information. Telecommunications companies may be subject toboth. This is discussed in detail later in this chapter at 2.3.

Credit unions

There are other difficulties in the relationship between the Privacy Act andother Commonwealth legislation. The Credit Union Services Corporation(CUSCAL) (64) is concerned that the Corporations Law provides that creditunions must give anyone access to their share register which containspersonal information about their shareholders who are also their customers.

Private health insurance

The Private Health Insurance Ombudsman (10) draws attention to difficultiescaused by the notion of ‘contributor’ and ‘dependents’ in relation to a privatehealth insurance contract in the National Health Act.

Inconsistency between the NPPs and IPPs

Organisation may be subject to both

There are inconsistencies between the NPPs and the IPPs. Someorganisations may be subject to both. Australia Post (109) points out that theIPPs apply to its ‘non-commercial activities’ but the NPPs apply to itscommercial activities. In addition, its employees must comply with further, andmore specific, obligations of privacy and confidence in the Australian PostalCorporation Act 1989.

Commonwealth contractors

An organisation contracted by the Australian Government (or subcontractedby an Australian Government contractor) to perform outsourced functions forthe Australian Government must comply with the IPPs and the NPPs. Thecontract will require the contractor to comply with the IPPs. Where there isno provision in the contract equivalent to one or more of the NPPs, the NPPsapply.

The Chamber of Commerce and Industry WA (Inc) (77) says that there areaspects of the IPPs which may be problematic or confusing. The Tenants’Union of Queensland Inc (69), which is funded through the Community LegalCentres funding program, notes that having to comply with both the IPPs andthe NPPs is unreasonably cumbersome on community sector organisations.

In the view of Telstra (110), the differences between the IPPs and the NPPsmay lead to uncertainty about the obligations that apply when a contractedservice provider collects (or otherwise handles) personal information on behalfof an Australian Government agency.

Finally, the Australian Government Department of Health and Ageing (99)identifies inconsistencies that have arisen in the context of AustralianGovernment funded Aboriginal health services. It draws attention tocircumstances when compliance with the NPPs alone would, in theappropriate circumstances, allow a doctor to discuss the care of a patientwith a relative without the patient’s consent but compliance with the IPPswould not.

An organisation may be subject to several privacy regimes

A number of submissions describe the difficulties they face complying withseveral privacy regimes at the same time. Promina (34), whose operationsare national, is ‘subject to a complex matrix of federal and state legislation’. Aconfidential submission notes that each business activity is subject to differentprivacy legislation according to the state or territory the business operates in;the type of business; the type of personal information collected (personalinformation or health information); and whether the business unit isconsidered a government agency or a private sector organisation.

The Department of Health and Ageing (99) gives an example of the effect ofseveral layers of privacy regulation. In giving advice to ACT pathologists whowere changing their forms in a way that gave rise to privacy implications, theDepartment had to refer to the Privacy Act (the IPPs and NPPs), the HealthRecords (Privacy and Access) Act 1997 (ACT) and other ACT legislation,applying to pathologists operating as a private sector organisation.

Single piece of information may be subject to different laws

A number of submissions, particularly those from financial servicesorganisations, have pointed out that one consequence of the plethora oflegislation is that a single item of personal information may have severalpieces of legislation, possibly inconsistent, applying to it. Promina (34), agroup of insurance and financial services companies that operates nationallynotes that:

‘a single piece of personal information may be subject to two or more. . . legislative regimes at one time, creating conflicting obligations,different obligations or more onerous obligations in respect of thewhole or parts of that same piece of information.’

‘same piece of personal information may have multiple pieces oflegislation applying to it, some of these obligations may compete withothers and we may have to quarantine particular parts of thatinformation and apply federal or state laws as applicable.’

There are jurisdictional problems

The plethora of legislation gives rise to jurisdictional problems. This affectsboth organisations and consumers. Telecommunications companies, forexample, are subject to multiple regulators, including, for example, the PrivacyCommissioner, the Australian Communications Authority (ACA), and theTelecommunications Industry Ombudsman (TIO). However, Optus (98), whichdeals with the ACA, the Office and other government bodies on variousaspects of privacy, says that dealing with different regulators has not caused itany difficulties. The ACA (94) says that even the regulator may not know if ithas jurisdiction until the investigation has begun.

The Private Health Insurance Ombudsman (10) notes that there is no clearjurisdiction in relation to privacy complaints between the federal and NewSouth Wales Privacy Commissioners. Consequently, a person in New SouthWales may complain to both.

ANZ (40) notes that banking customers with a privacy complaint may chooseto go to the Banking and Financial Services Ombudsman (BFSO) or to thePrivacy Commissioner. In a recent case a customer took part of a complaintto the BFSO and the privacy aspect of it to the Privacy Commissioner. (Thewhole complaint was ultimately resolved at a conciliation conference betweenthe customer, the bank and the BFSO).

Telecommunications customers may also choose between the TIO and thePrivacy Commissioner.

Compliance is more difficult

The lack of a single, national and comprehensive regime increases theadministrative and cost burden of compliance on organisations. Submissionsfrom a number of industries have drawn attention to this.

Suncorp-Metway Ltd (35) notes that its staff need to deal with various piecesof legislation and to deal with a number of regulators, ranging from the PrivacyCommissioner to the Health Care Complaints Commissions of the states. Itnotes:

‘this makes the practice of providing information, adhering to thecorrect legislation and reference to a Regulator difficult for our staff andmay result in the incorrect information being provided, incorrectprinciples or guidelines being applied or information not being fullyprovided.’

ANZ (40) is particularly concerned that if New South Wales or Victoriaintroduces their own workplace privacy legislation, which seems likely, theprospect of non-uniform laws throughout Australia would be opened again.Organisations that operate nationally would be subject to contradictory lawsaffecting the national workforce.

‘This would be likely to create significant additional compliance costsdue to systems modifications, altered practices and staff training inorder to manage the differences and ensure compliance.’

Comcare (12), which deals with health professionals, says that they are oftenunsure as to which privacy regime they are subject to when dealing withinformation relating to people in the Commonwealth jurisdiction.

The Australian Compliance Institute (16) notes that many national healthservices comply with what they consider to be the more onerous Victorian andNew South Wales provisions across all jurisdictions to ensure they need dealwith only one compliance system.[21]

Difficult to advise

The Australian Physiotherapy Association (37) notes that inconsistentlegislation creates confusion for its members. Furthermore, it createsdifficulties for the association itself in keeping abreast of the legislation andputting out a consistent message to its members about their privacyobligations.

Lack of consistency is getting worse

Many submissions say that the problem of inconsistency is getting worse.They cite, for example, the proliferation of state and territory health recordsActs and the Australian Government’s recently enacted Spam Act. Financialinstitutions in particular express concern about the developments in workplacesurveillance legislation at a state and territory level, and the Real EstateInstitute of Australia (13) is concerned that legislation regulating tenancydatabases is being introduced in a piecemeal fashion. The Credit UnionServices Corporation (CUSCAL) (64) is concerned about proposed anti-moneylaundering laws that will force credit unions to collect more, not less,personal information about its members. CUSCAL:

What submissions say – addressing the issues

Australian Government should exercise its constitutionalpower

Some submissions suggest that the Australian Government should exerciseits constitutional power to ensure that Commonwealth law prevails. Acharitable organisation (11) says that the Australian Government shouldenforce its overriding constitutional power to the extent that all formalcomplaints about privacy should go to the Privacy Commissioner. TheSalvation Army Australia Southern Territory (74) argues that Commonwealthlaw should prevail over state and territory law to provide consistency.

Review and simplify

The complex nature of privacy law in Australia leads a charitable organisation(11) to suggest that the legal requirements imposed by privacy law should bereviewed and simplified. The National Health and Medical Research Council(32) says that there should be a single, simplified national health privacyregulatory scheme.

Greater co-operation among governments

Submissions from health services raise the lack of consistency between thePrivacy Act and state and territory legislation regulating health records as aproblem, and a problem that will become worse as electronic medical recordsbecome commonplace.

Banks and other financial institutions are concerned that at least two statesare developing workplace surveillance legislation independently of each other.

A participant in a stakeholder forum hopes that at least the various bodiesmight consider a consistent interpretation of terms such as ‘related’ and‘reasonable’ because currently they are interpreted differently acrossjurisdictions.

There clearly needs to be greater co-operation between the Australian andstate and territory governments in developing legislation that has privacyimplications if national consistency is to be achieved. In the view of theAustralian Information Industry Association (43), the Australian Governmentneeds to take the lead to ensure that disparate policies do not emerge. TheInsurance Council of Australia (ICA) (59) recommends that

‘Federal and State Ministers should work together to ensure thatprivacy regulation is developed in a coherent and consistent manner.Health ministers should promote co-ordination between the States inthe development of privacy legislation.’

Telstra (110) wants to see more co-operation between the Office and otherregulators to ensure a national and consistent approach to enforcement.

There needs to be a process for ensuring ongoing Australian and state andterritory government co-operation. This has already happened in the area ofhealth privacy. A National Health Privacy Working Group of the AustralianHealth Ministers’ Advisory Council (AHMAC) is developing a national privacycode. Applauding the commitments of the health ministers, the ICAencourages AHMAC to finalise the health code.

Enhance the Privacy Commissioner’s role

Given the need for a national approach it is appropriate that the AustralianGovernment should take the lead in any process that is established to ensureconsistency.

In the view of Telstra (110), the Australian Government should liaise withState and Territory governments to encourage a consistent approach. TheSalvation Army Australia Southern Territory (74) urges the Office to take arole in ensuring consistency.

A number of possible mechanisms for doing this are identified in submissions.The Association of Market Research Organisations (AMRO) and theAustralian Market and Social Research Society (AMSRS) (61) suggest thatthere should be a clearing house for ensuring that proposed legislation isconsistent with the Privacy Act and that there should be a Privacy ImpactStatement made for each new law. In the view of the Australian Bankers’Association (70), the clearing house should be the Office.

‘The ABA would support the Privacy Commissioner taking a lead role inthe oversight and co-ordination of developments in other legislationthat have implications for privacy regulation acting as a clearing houseto ensure national consistency with the Act wherever possible’.

Other submissions recommend an enhanced role for the Office. TheAustralian Direct Marketing Association (67) suggests that the Office shouldbe given increased authority to ensure there are appropriate mechanisms toensure legislation that is inconsistent with the private sector provisions is notpassed.

The Australian Nursing Federation (127) suggests that the Office shouldinitiate a process to consult with all stakeholders to develop a single piece ofnational health privacy legislation.

Coles Myer Ltd (60) suggests the Office should be adequately funded to beinvolved in proposed laws. In the view of the Credit Union ServicesCorporation (64), it should also be well enough funded to participate activelyin the development of new anti-money laundering laws.

Combine the NPPs and the IPPs

A number of submissions recommend that the NPPs and IPPs be combinedinto a single set of privacy principles that would apply to both AustralianGovernment agencies and private sector organisations. In the view of acharitable organisation (11), the NPPs should prevail. Electronic Frontiers(51) says that the harmonisation of the two sets of principles should be doneso as to provide the highest level of privacy protection from each of them.

Remove exemptions from the Privacy Act

One of the ways to ensure greater national consistency could be to removethe existing exemptions from the Privacy Act. In the view of a number ofparticipants in the stakeholder forums, the exemptions provide gaps inprotection that states and territories need to fill with their own legislation.Among the drivers of the development of privacy law in other jurisdictions arethe gaps in the protection provided by the federal law. The exemptions in thePrivacy Act are undermining the goal of national consistency.

Options for reform

Clarify constitutional issue

The failure of the Privacy Act to achieve its object of establishing a ‘singlecomprehensive national scheme’ for the protection of personal information isan issue for the private sector. As submissions reveal, national consistency isimportant to business, to charities and to individuals. The lack of nationalconsistency contributes significantly to the costs imposed on business. It isnot clear whether section 3 of the Privacy Act, which provides that theoperation of state and territory laws that are ‘capable of operating concurrentlywith’ the Act are not to be affected, covers the field or not. This provisiondetermines whether or not a state or territory privacy law, or part of it, is or isnot constitutional.

This lack of clarity leaves the way open to a state or territory to pass its ownlaws on the ground that there is no constitutional barrier to doing so. Itcertainly may be that state and territory legislation purporting to regulatehealth records is inconsistent at least to the extent that it imposes obligationson organisations covered by the Privacy Act. If so, it may be unconstitutional.Section 3 could be amended to make it clear that the Privacy Act wasintended to cover the field.

Australian Government to promote national consistency

All stakeholders regard national consistency as very important and claim thatit has not been achieved. Because of the exemptions in the Privacy Act,some hold the Australian Government at least partly responsible for notachieving the ‘single comprehensive national’ scheme it promoted. It is also aconsequence of our federal system. It is clearly the role of the AustralianGovernment, rather than the states and territories, to play the leadership rolein promoting national consistency. To succeed it has to be done at thehighest level. The Australian Government could ask the Council of AustralianGovernments (COAG) to endorse national consistency in all privacy relatedlegislation.

Consult Privacy Commissioner about all privacy relatedlegislation

There would be more consistency in privacy related legislation if a centralisedbody had oversight of all proposed legislation. One possibility is that thePrivacy Commissioner plays that role. The Privacy Commissioner is alreadyconsulted when Australian Government policy affecting privacy is beingdeveloped. Even if desirable, it may not be practical to nominate a federalbody to play such a role in relation to the states and territories.

Examine IPPs and NPPs

The lack of consistency between the IPPs and the NPPs causes considerablecompliance difficulties for organisations that are public sector organisationsthat undertake commercial activities and for some private sectororganisations, especially those who are funded by Australian Governmentagencies or are contracted to Australian Government agencies. Althoughboth sets of principles draw on the 1980 Organisation for Economic Cooperationand Development (OECD) Guidelines for the Protection of Privacyand Transborder Flows of Personal Data, each set of principles reflects thetime in which it was developed.

Similar functions are performed by both public and private sector bodies, andboth public sector and private sector bodies may be characterised as both anagency and an organisation for the purposes of the Privacy Act. There seemsno clear rationale for applying similar, but slightly different, privacy principlesto public sector agencies and private sector organisations and certainly noclear rationale for applying both to an organisation at the same time. There isno clear policy reason why they are not consistent. The time may have comefor a systematic examination of both the IPPs and the NPPs with a view todeveloping a single set of principles that would apply to both AustralianGovernment agencies and private sector organisations.

Consider Australian Government contractors

As part of the suggested examination of the IPPs and NPPs the application ofboth the IPPs and the NPPs to Australian Government contractors could beconsidered.

Power to make a binding code

When state and territory governments pass legislation regulating activities thatbusinesses engage in on a national basis that is not uniform, there is anegative impact on business.

Having to comply with similar but different legislation in the states andterritories adds to the costs and complexity of compliance.

One way of overcoming the problems caused by inconsistent state andterritory legislation regulating a particular activity is to provide for a powerwithin the Privacy Act to develop binding codes. There are a number of waysin which this could be achieved. For example, the Attorney-General, afteridentifying the need for a code in a specific sector, could ask the PrivacyCommissioner to commence a process to develop a code in consultation withkey stakeholders. The Privacy Act would need to be amended to provide apower for the Privacy Commissioner to develop a code following a requestfrom the Attorney-General.

A model that is worth considering is that set out in the Trade Practices Act1974. The Act provides by regulation for the Minister to declare a codemandatory for the industry in question.

Alternatively, the Privacy Act could be amended to provide for the PrivacyCommissioner, at his or her own initiative, to make a binding code inappropriate circumstances, again drawing on strong stakeholder consultation.

A model that may be worth considering is that set out in theTelecommunications Act. The Act provides for the telecommunicationsindustry to develop self regulatory codes on a range of matters includingprivacy. Section 125 of the Act provides a mechanism for the regulator, theAustralian Communications Authority, to issue a binding industry standardwhere a self regulatory code is failing or where no code has been developed.The process places strong emphasis on stakeholder consultation.

Change the name of the Office to the Australian PrivacyCommission

Section 19 of the Privacy Act established the Office of the PrivacyCommissioner, also known as the Office of the Federal PrivacyCommissioner. The NSW Office is known as the Office of the NSW PrivacyCommissioner or Privacy NSW; the Victorian Office is the Office of theVictorian Privacy Commissioner or Privacy Victoria.

The similarity of these names causes confusion, especially for consumerswho are trying to work out to whom they should make a complaint. Changingthe name of the Office would avoid unnecessary confusion. It would also bemore consistent with other Australian Government regulatory bodies, such asthe Australian Competition and Consumer Commission and the AustralianSecurities and Investments Commission.

2.2 Recommendations: Nationalconsistency

The Privacy Act has not achieved its object of establishing a ‘singlecomprehensive national scheme’ for the protection of personal information.As submissions reveal, national consistency is important to business, tocharities and to individuals. The lack of national consistency contributessignificantly to the costs imposed on business.

2. The Australian Government should consider amending section 3 of thePrivacy Act to remove any ambiguity as to the regulatory intent of theprivate sector provisions.

3. The Australian Government should consider asking the Council ofAustralian Governments (COAG) to endorse national consistency in allprivacy related legislation.

4. The Australian Government should consider setting in placemechanisms to address inconsistencies that have come about, or willcome about, as a result of exemptions in the Privacy Act, for example,in the area of workplace surveillance.

5. The Australian Government should consider commissioning asystematic examination of both the IPPs and the NPPs with a view todeveloping a single set of principles that would apply to both AustralianGovernment agencies and private sector organisations. This wouldaddress the issues surrounding Australian Government contractors.

6. The Australian Government should consider changing, by legislativeamendment, the name of the Office of the Privacy Commissioner to theAustralian Privacy Commission.

7. The Australian Government should consider amending the Privacy Actto provide for a power to make binding codes.

2.3 Consistency in telecommunicationsLaw and policy

Businesses in the telecommunications sector handle a large range ofpersonal information, including customer details, telephone or internet servicedetails, as well as carrying the contents of telecommunications such as voicecalls, SMS and MMS messages, and emails.

Telecommunications carriers, as a group, collect personal information aboutall telephone and internet subscribers, amounting to a very large proportion ofthe population. There are 11.7 million fixed telephone lines in Australia, 16.5million mobile phone services, and 5.2 million internet subscribers[22]. Some ofthis information is routinely transferred between telecommunications carriersas an integral part of the operation of the telecommunications network.Telecommunications carriers also hold information of interest to emergencyservices and law enforcement agencies.

In addition to information about subscription to telephone, internet and othertelecommunications services (e.g. name, address, phone number etc.), thecontents of voicemails, emails, SMS and MMS messages can include some ofthe most sensitive and personal information we have. Such messages areoften stored, for varying lengths of time, by telecommunications companies.

The community’s interest in protecting the privacy of telephone calls and othertelecommunications is reflected in a range of legislation that pre-dates the private sector provisions of the Privacy Act. The Office’s community attituderesearch shows that individuals are more reluctant to give organisations theirhome phone number than all other sorts of information, with the exception ofbank account details and income. The Office’s research also shows that thissensitivity has increased over recent years[23].

The private sector provisions of the Privacy Act regulate organisations thatoperate within the telecommunications sector. These provisions do not,however, include specific references to the telecommunications sector.Telecommunications-related businesses with a turnover less than $3 millionmay not be covered by the Privacy Act.

A number of submissions focused on the regulation of telecommunicationsprivacy in considering the question of national consistency. Many of thesesubmissions referred in particular to the operation of the Privacy Act with theTelecommunications Act, in some cases analysing in detail the interaction ofspecific provisions of both Acts.

Telecommunications Act

Part 13 of the Telecommunications Act provides for the confidentiality ofpersonal information and the contents of communications, includingrestrictions on how telecommunications carriers and carriage serviceproviders may use and disclose information that relates to the affairs of otherpersons, the contents of communications, and the services they provide. ThePrivacy Commissioner has the function of monitoring compliance with therecord-keeping requirements in Division 5 of Part 13 of theTelecommunications Act.

Part 6 of the Telecommunications Act provides for industry to develop bindingcodes, for example codes developed by the Australian CommunicationsIndustry Forum, which are registered with the Australian CommunicationsAuthority. The private sector provisions of the Privacy Amendment (PrivateSector) Act 2000 include amendments to Part 6 of the TelecommunicationsAct, and were intended to recognise and promote the pre-eminence of thePrivacy Act and the role of the Privacy Commissioner within thetelecommunications environment without diminishing the integrity of thetelecommunications self-regulatory regime.

Industry codes provide a mechanism that permits the inclusion of privacyprovisions beyond those in the Privacy Act, where the telecommunicationsindustry considers that the NPPs do not readily address some specificindustry or service related privacy concern. The Privacy Commissioner has astatutory role during the development phase of industry codes that relate toprivacy, which involves the telecommunications sector consulting the PrivacyCommissioner about such codes.

Telecommunications (Interception) Act

The Telecommunications (Interception) Act 1979 (Interception Act) has twokey purposes. Its primary object is to protect the privacy of individuals whouse the Australian telecommunications system by making it an offence tointercept communications. The second purpose of the Interception Act is tospecify the circumstances in which it is lawful for interception to take place.

Following amendments to the Interception Act in 2004, storedcommunications such as emails, SMS and MMS messages are not protectedby the prohibition on interception and the associated penalties in theInterception Act. Submissions made no substantial comment on theInterception Act or its interaction with the Privacy Act.

Spam Act

The Spam Act 2003 (Spam Act) sets up a scheme for regulating commercialemail and other types of commercial electronic messages. Under the SpamAct, unsolicited commercial electronic messages must not be sent, and thereare restrictions on the use of address-harvesting software.

Telecommunications regulators

There is more than one regulator with an interest in privacy in thetelecommunications sector. The Australian Communications Authority (ACA)monitors the performance of telecommunications carriers and carriage serviceproviders. The Telecommunications Industry Ombudsman (TIO), set up bythe industry, investigates complaints about a range of telecommunicationsissues, including printed and electronic White Pages, privacy and breaches ofthe Customer Service Guarantee, and industry Codes of Practice.

Complaints and enquiries

During the review reporting period (21 December 2001-31 January 2005),approximately 9% of all NPP complaints received by the Office (223complaints) related to the telecommunications sector, positioning it as thethird most complained about sector behind the finance and health sectors.The Office also received 1725 telecommunications enquiries over the period,or approximately 4% of NPP enquiries.

The Telecommunications Industry Ombudsman, which also deals with someprivacy-related complaints in the telecommunications sector, reports that inthe 2003-2004 year, it dealt with 1271 telecommunications complaints thatrelated directly to issues concerning privacy. This suggests that the Office’sNPP complaints represent approximately 6% of the privacy complaints in thetelecommunications industry.[24]

Compared to all NPP complaints received in the reporting period, complaintsagainst telecommunications sector organisations were much more likely toconcern use and disclosure issues and much less likely to concern accessissues.[25]

The following graph shows the NPP complaints received by the Office againsttelecommunications sector organisations according to the issues raised in thecomplaint.[26]

Complaints Received from 21 Dec 01 - 31 Jan 05

Collection – 51

Use and Disclosure – 125

Data security issues – 42

Data quality issues – 36

Refused access – 19

Other – 5

Disclosure of silent numbers

The disclosure of silent numbers by telecommunications carriers was possiblythe most recurrent single issue in NPP complaints received againsttelecommunications sector organisations. Similarly, the disclosure of silentnumbers was a recurrent issue in the ten own motion investigations intoorganisations in the telecommunications sector commenced by the PrivacyCommissioner under section 40(2) in the Act, during the reporting period.These figures reinforce the results in the Office’s community attitude surveyabout the sensitivity of telephone numbers in the community.

Some of the own motion investigations in the telecommunications sectorrelated to the personal information of many hundreds, and even thousands, ofindividuals.

Complaints closed

A total of 181 NPP complaints against telecommunications sectororganisations were closed in this period of which 34 were closed asadequately dealt with under section 41(2)(a) of the Privacy Act followinginvestigation or preliminary enquiries by the Office. An analysis of the numberof complaints closed under this provision provides an indication of the numberof complaints that were substantiated by the Office.

The following graph indicates the issues raised in NPP complaints againsttelecommunications sector organisations that were closed under section41(2)(a)[27]. As with complaints received against this sector, over half of the 34complaints closed under this provision concerned use and disclosure issues.

Complaints Resolved by Respondentfollowing intervention by OPC

Complaints closed from 21 Dec 01 - 31 Jan 05

Collection – 2

Disclosure – 18

Data quality issues – 11

Data security issues – 8

Refused access – 3

The operation of other laws

Some use and disclosure complaints against telecommunications sectororganisations may have been closed where it was assessed that the use ordisclosure was required or authorised by or under another law. In addition,seven of the 181 NPP complaints against telecommunications organisationsclosed in the reporting period were declined, having been assessed as beingmore appropriately or currently dealt with under another law, including theTelecommunications Act.

Small business exemption

The Office recently contacted a wide range of Internet Service Providers(ISPs) in the course of its enquiries into an industry-wide practice. At least25% of the ISPs that responded advised that they could claim the smallbusiness exemption. Between 10 and 15% of telecommunications sectorrespondents to NPP complaints received by the Office were ISPs.

What the submissions say - issues

Overlap of privacy and telecommunications legislation

Electronic Frontiers Australia (51) argues that the telecommunications sectorhas, of necessity, access to a great deal more information about individualsthan do most private sector organisations. This information not only relates tocustomers, but also to the public in general, and includes the contents of theircommunications.

To illustrate the scope and importance of the personal information at issue inthis sector, Electronic Frontiers Australia (51) quotes at length from aninternet service provider executive who said, in 2000 that:

‘we have the username and password for every one of our users, wehave their credit card details, we have a lot of information about theirliquidity, we can know about every purchase they make online, withwhom, when and for how much. We can know every site they visit onthe web – every page, every newsgroup, every picture they look at.We could read all of their e-mail and know all about their romances andthe jobs they’re applying for. The commercial opportunities arisingfrom this are endless …’.

Telstra (110) says that there is an over-regulation of privacy and information-handlingpractices, causing regulatory uncertainty and additional compliancecosts. Telstra also submits, however, that the private sector provisions of thePrivacy Act are working well, and that industry-specific regulation such as Part13 of the Telecommunications Act is working well.

Electronic Frontiers Australia (51) expresses concern that, in the onlineenvironment, individuals have almost no privacy rights, and the obligationsthat do exist may be difficult to have enforced. It argues that this arises fromfactors such as uncertainty regarding the definition of ‘personal information’,the ability of organisations to collect personal information without anindividual’s consent, the use of ‘bundled’ consents, the small businessexemption and technological developments.

Protections on use and disclosure

Sensis (84), the Australian Communications Authority (94), and ElectronicFrontiers Australia (51) note that Part 13 of the Telecommunications Actcontains different standards for the use and disclosure of personal informationthan does NPP 2.

Uses and disclosures permitted by the Telecommunications Act

Section 303B of the Telecommunications Act provides that uses anddisclosures of personal information that are permitted by Divisions 3 and 4 ofPart 13 of that Act, are ‘authorised by law’ for the purposes of the Privacy Act.The Telecommunications Act also allows legal proceedings or administrativeaction to be taken under both the Telecommunications Act and the PrivacyAct, in relation to uses and disclosures of personal information.[28]

Telstra (110) suggests that despite the provisions of section 303B of theTelecommunications Act, there may still be uncertainty regarding whether adisclosure of customer information that falls within one of the exceptions inDivision 3 or 4 of Part 13 of the Telecommunications Act may nonethelessbreach the NPPs or the credit reporting provisions in Part IIIA of the PrivacyAct.

Uses and disclosures permitted by NPP 2

Electronic Frontiers Australia (51) raises a further question about theinteraction between the Privacy Act and the Telecommunications Act in thatsection 280(1)(b) of the Telecommunications Act provides that uses anddisclosures that are required or authorised by another law are not prohibitedby Part 13 of the Telecommunications Act. One possible interpretation of thisprovision is that the uses and disclosures permitted by the secondary purposeexceptions to NPP 2.1 (for example, for direct marketing) may be available totelecommunications companies, in addition to the exceptions in Part 13 of theTelecommunications Act.

Different standards of protection

Section 289 of the Telecommunications Act permits the use or disclosure ofpersonal information if the person to whom the information relates is eitherreasonably likely to be aware of the use or disclosure, or has consented to it.Electronic Frontiers Australia (51) argues that section 289 of theTelecommunications Act offers greater privacy protection in relation to use ordisclosure for the primary purpose of collection than does NPP 2. Forsecondary purposes, however, that section is significantly less protective.Unlike NPP 2, section 289 of the Telecommunications Act does not requirethe use or disclosure to be related to the purpose of collection. As aconsequence, a disclosure for a secondary purpose may be permitted bysection 289, but not by NPP 2.

Electronic Frontiers Australia (51) also argues that section 291 of theTelecommunications Act is less privacy protective than NPP 2, for example,allowing disclosures for the unrelated secondary purpose of direct marketingby other organisations. Electronic Frontiers Australia also identified section290 as requiring attention in relation to the disclosure of personal informationabout third parties.

Section 285 of the Telecommunications Act relates to the use and disclosureof customer information to produce public number directories, and includes aprohibition on the use or disclosure of customer information in connection witha directory with a reverse searchcapability (that is, where searching on anumber provides a person’s name and address).Sensis (84) suggests thatthe NPPs, rather than industry specific regulation, would be adequateregulation in relation to reverse search functionality.

Small business exemption

A number of submissions noted that the small business exemption may leaveunregulated some organisations operating in, or close to, thetelecommunications sector.

The Australian Communications Authority (94) notes that Part 13 of theTelecommunications Act does not apply to producers of public numberdirectories (including list brokers). Where a public number directory producerfalls within the small business exemption of the Privacy Act, then there maybe few or no privacy protections in place.

Electronic Frontiers Australia noted that a range of smaller businesses couldfall under the small business exemption, including internet service providers(ISPs), resellers of carrier and/or ISP services; carriage service intermediariesand telecommunications contractors. This is confirmed by the Office’sexperience, which suggests that approximately 25% of ISPs may claim thesmall business exemption.

After the private sector provisions of the Privacy Act commenced in December2001, the Australian Communications Authority decided to de-register thecode ACIF 523 - Protection of personal information of customers oftelecommunications providers (October 2001) (CPI Code), to avoid aduplication in the telecommunications privacy jurisdiction[29].

The CPI Code applied to large telecommunications companies, as well assmall businesses including ISPs, resellers of carrier and/or ISP services,carriage service intermediaries and telecommunications contractors.

Electronic Frontiers Association (51) says that a net result of the introductionof the private sector provisions and the removal of the CPI Code may be thatindividuals currently have less protection, overall, in relation to the handling oftheir personal information by small businesses in the telecommunicationssector, than they did prior to 2001. Given the nature and scope of thepersonal information that is collected, used and disclosed by thetelecommunications sector, there would appear to be a notable gap in privacyregulation.

These considerations are also relevant to the broader consideration of thesmall business exemption in Chapter 6.

Telecommunication regulators

Submissions generally do not indicate that regulatory overlap is a majorproblem in the telecommunications sector, however there are issuesdeserving attention according to the Australian Communications Authority(94), Optus (98), and Telstra (110). For example, the AustralianCommunications Authority says that in the handling of complaints, whileregulatory overlap may not have been a significant barrier to resolvingcomplaints, it may have led to some delays, frustration and waste (94).

Spam

Submissions highlighted the recent Spam Act as an example of appropriatelyspecific legislation to deal with a particular challenge posed by newtechnology.

What submissions say – addressing the issues

Overlap of privacy and telecommunications legislation

No change required

Telecommunications companies Virgin Mobile (26), Optus (98), Telstra (110)and Vodafone (112) are generally opposed to further regulation, howeversome call for further clarification of specific issues (see below). VirginMobile (26) considers the current level of regulation applying totelecommunications companies to be very significant and that furtherregulation is not warranted, noting that the current set of legislativerequirements impose significant compliance costs.

Protections on use and disclosure

Uses and disclosures permitted by the Telecommunications Act

Telstra submitted that Part 13 of the Telecommunications Act should beamended to clarify that a disclosure that fits an exception to Part 13 of theTelecommunications Act is not a breach the Privacy Act, or that the Officeshould publish information sheet outlining its views in relation to privacycomplaints in the telecommunications sector.

Uses and disclosures permitted by NPP 2

Electronic Frontiers Australia (51) recommends that the law be clarified toensure that NPP 2.1 does not authorise uses or disclosures that wouldotherwise be in breach of the Telecommunications Act.

Different standards of protection

A range of submissions from consumer and industry perspectives feel that therelationship between the Telecommunications Act and the Privacy Act couldbe further clarified, either through additional guidance or through legislativechange[30]. Electronic Frontiers Australia (51) argues that privacy protectionsshould be at least maintained, and in some cases strengthened, in the courseof that clarification.

Optus (98), Telstra (110) and Electronic Frontiers Australia (51) saw merit inconsidering the appropriateness of the privacy protections in Part 13 of theTelecommunications Act. Optus argues that, notwithstanding the usefulnessof Part 13 of the Telecommunications Act, it would be beneficial to review itwith the aim of making it easier to interpret.

Small business exemption

Electronic Frontiers Australia (51) recommends that the small businessexemption be deleted from the Privacy Act.

Telecommunications regulators

Telstra (110) suggests that in the first instance complaints should beinvestigated by the appropriate industry body, for example the TIO.

Spam

A range of submissions suggest that the relationship between the Spam Actand the Privacy Act could be further clarified, for example through guidanceissued jointly by the Office and the Australian Communications Authority.[31]Inparticular, the different approach to ‘opting out’ between NPP 2.1(c) and theSpam Act was noted by both industry (for example the Australian BankersAssociation 70) and consumers (for example, Electronic Frontiers Australia51). For more discussion on direct marketing see Chapter 4.

Options for reform

Overall it appears from the submissions that the combination of generalprivacy regulation through the Privacy Act, with technology and sector-specificregulation, is working reasonably well in many areas relating to thetelecommunications sector.

Overlap of Privacy and Telecommunications legislation

Exclude telecommunications from the Privacy Act

While excluding telecommunications companies from the Privacy Act maysimplify the regulatory arrangements for companies that operate solely in thetelecommunications sector, the additional protections offered by NPPs,particularly relating to collection, data quality, data security and access, wouldbe foregone. There does not appear to be sufficient reason to support thisoption, particularly considering the special nature and broad scope ofpersonal information handled in the telecommunications sector.

As telecommunications is the third most complained about sector under theNPPs, it appears that the Privacy Act provides an important contribution toprotecting privacy in this sector.

Repeal Part 13 of the Telecommunications Act

While repealing Part 13 of the Telecommunications Act may simplify theregulatory arrangements for companies that operate in thetelecommunications sector, the relatively strong protections on use anddisclosure of telecommunications-related personal information offered by Part13 of the Telecommunications Act would be foregone. There does not appearto be sufficient reason to support this option, particularly considering thespecial nature and broad scope of personal information handled in thetelecommunications sector.

The relatively large number of privacy-related complaints handled by theTelecommunications Industry Ombudsman may suggest that the regulatoryscheme provided by the Telecommunications Act is critically important toprotecting privacy in this sector.

Transfer Part 13 of the Telecommunications Act to the Privacy Act

The intention of this option would be to retain the protections of both the NPPsand Part 13 of the Telecommunications Act, but to do so under the one Act.In doing so, careful consideration would have to be given to the relationshipbetween the definition of ‘personal information’ in the Privacy Act, and‘information’ as used in Part 13 of the Telecommunications Act. Similarly,careful consideration would have to be given to whether the requirement insection 16B of the Privacy Act that the Privacy Act applies only to the collection of personal information for inclusion in a record (or a generallyavailable publication) would narrow the application of the provisions of Part 13of the Telecommunications Act, were they to be transferred to the Privacy Act.

Guidance

Detailed guidance, issued jointly by the Office and the ACA may assist inincreasing understanding of the interaction of the Privacy and theTelecommunications Act. This guidance could concentrate on the issuesraised in the submissions, such as the operation of section 303B of theTelecommunications Act. Detailed guidance could also assist to clarify thatthe exceptions to NPP 2 do not provide an ‘authorisation’ under law, for thepurposes of other Acts such as the Telecommunications Act.

However, where there is genuine legal uncertainty about the joint operation ofthe two acts, guidance would not assist.

Amendments to the Privacy Act and the Telecommunications Act

Changes to the Privacy Act alone are unlikely to resolve concerns about thepotential for inadequate or inconsistent use and disclosure protections. Theoverall standard of protection for personal information, set by the combinationof Part 13 of the Telecommunications Act and the Privacy Act, could beaddressed through coordinated amendments to those Acts which clarify theirrelationship, particularly in terms of the respective provisions concerning whatconstitutes authorised uses and disclosures under the two Acts.

At a minimum, amendments could clearly specify that the Privacy Act cannotbe used to lower the overall standard of privacy protection, so that anexception under NPP 2.1 cannot ‘authorise’ a use or disclosure under section280(1)(b) of the Telecommunications Act. For example, it should be clear thata disclosure permitted by NPP 2.1(c), for a secondary purpose of directmarketing, would not, through appealing to NPP 2.1(c), also be permitted bysection 280(1)(b) of the Telecommunications Act. Amendments should clarifythat if a use or disclosure of personal information is not permitted by Part 13of the Telecommunications Act considered in the absence of the Privacy Act,then it is not permitted even when considered in the context of the PrivacyAct.

Amendments to ensure that the higher privacy standard always operates

Recognising the significant quantity, scope and sensitivity of the personalinformation that is held by, and that flows through, organisations in thetelecommunications sector, a further step could be to amend both the PrivacyAct and the Telecommunications Act to ensure that the higher privacystandard always operates. This would require amending or repealing section303B of the Telecommunications Act to ensure that uses or disclosuresprohibited by NPPs 2, 7 and 9 are not permitted by the TelecommunicationsAct, unless there is a clear, sector-specific requirement that meets the publicpolicy goals of the private sector privacy regulatory scheme.

Small Business Exemption

Public number directory producers are authorised under theTelecommunications Act to access the Integrated Public Number Database(IPND). The IPND is a database of all listed and unlisted telephone numbers.It is a repository of personal information (including names and addresses)relating to the end-users of telephone numbers. According to the AustralianCommunications Authority:

‘In addition to the publication of public number directories, PublicNumber Directory Producers (PNDPs) are understood to usetelecommunications customer information for a variety of otherpurposes. These uses are referred to by the industry as ‘databaseenhancement’, ‘data cleansing’, ‘data verification’, ‘list management’services or ‘information management tools’[32].

Some of the significance of IPND data is that it provides a means for directlycontacting a large proportion of the Australian population. The use oftelephone numbers to direct market is discussed in Direct Marketing, Chapter4, including evidence from submissions both that there is a level of irritation inthe community about the intrusiveness of phone marketing, and that somecustomers like direct marketing. The option of establishing a ‘Do Not Contact’register is also discussed there.

The Australian Communications Authority has decided to determine anindustry standard to regulate the use of telecommunications customerinformation. The Office understands that this standard, in conjunction with theNPPs, will aim to regulate the appropriate use of IPND data.

Producers of public number directories clearly handle personal information,and typically in quantity. In the case of any public number directory producerthat has an annual turnover of less than $3 million, there may then be someuncertainty about whether or not the small business exemption applies.

Subsections 6D(4)(c) and (d) provide that a business is not eligible for thesmall business exemption if it trades in personal information. Subsections6D(7) and (8), however, permit a business that has an annual turnover of lessthan $3 million, and trades in personal information, to nonetheless benefitfrom the small business exemption if the trading in personal information isconducted with the consent of the individuals whose information is traded, or ifanother law requires or authorises the trading of the information.

Regulate-in small telecommunications businesses

The small business exemption could be removed for a nominated class oftelecommunications-related small businesses and public number directory producers, by way of a regulation under section 6E of the Privacy Act. Thisoption is less likely to lead to the kind of regulatory confusion that may ariseunder other options (outlined below). However, it has the disadvantage offurther complicating the nature of the small business exemption.

Telecommunications businesses not eligible for the small business exemption

An alternative to regulation would be to amend the Privacy Act to provide thattelecommunications businesses and public number director producers are not eligible for the small business exemption. This may have the disadvantage offurther complicating the structure of the small business exemption.

Self-regulatory privacy code registered with the ACA

Making use of the self-regulatory scheme for the telecommunications sector,under the Telecommunications Act, a new telecommunications industryprivacy code could be registered with the Australian CommunicationsAuthority, so that all telecommunications organisations and public numberdirectory producers will have NPP obligations through that means.

Disadvantages with this approach include the duplication of privacy regulationfor the great majority of telecommunications companies who are alreadybound by the Privacy Act, and are also bound by registered industry codes,and the confusion and uncertainty that may arise as a result; and a furthersplintering of privacy regulation, because the Privacy Commissioner may notbe the complaint handler for all privacy complaints in the sector.

Commissioner to issue mandatory code

If the Commissioner had a power to issue a mandatory code which covered acertain group of businesses (see recommendation 7), this power could beused to develop and issue a telecommunications sector privacy code.

Remove the consent provisions from the small business exception

This would ensure that all organisations that ‘trade’ in personal information (asdescribed by subsections 6D(4)(c) and (d) of the Privacy Act) would beregulated by the Privacy Act. This would assist in ensuring that public numberdirectory producers cannot make use of the small business operatorexemption. This option is also discussed in Chapter 6, Small BusinessExemption.

Overlapping regulators

See Chapter 5, Complaint Handling, for further discussion of options forminimising problems arising from overlapping regulators.

Spam

The issue of different standards for opting out of direct marketing is taken upin Chapter 4, Direct Marketing. Beyond the recommendations there, theOffice and the Australian Communications Authority could work together toissue joint guidance on the operation of the Privacy Act and the Spam Act.

2.4 Recommendations:

Telecommunications consistency

8. The Australian Government should consider amending the Privacy Actand the Telecommunications Act to clarify what constitutes authoriseduses and disclosures under the two Acts, and to ensure that thePrivacy Act cannot be used to lower the standard of privacy protectionin the Telecommunications Act.

9. The Australian Government should consider making regulations undersection 6E of the Privacy Act to ensure that the Privacy Act applies toall small businesses in the telecommunications sector, includingInternet Service Providers and Public Number Directory Producers.

10. The Office will discuss with the Australian Communications Authoritythe development of guidance to clarify the relationship between theprivate sector provisions of the Privacy Act and Part 13 of theTelecommunications Act.

11. The Office will discuss with the Australian Communications Authoritythe development of guidance to clarify the relationship between theprivate sector provisions of the Privacy Act and the Spam Act.

2.5 Consistency in protection of healthinformation

Research on community attitudes towards privacy, conducted by the Office[33],shows the importance that Australians place on the protection of their healthinformation. There are risks of serious harm arising from a failure toadequately protect an individual’s health information, for example whenhandling genetic information that indicates an individual’s susceptibility to aserious disease or information about an individual’s sexual health. Someindividuals may be stigmatised or discriminated against if their healthinformation is mishandled.

While a health service provider’s principal concern is for the health care oftheir patient, the individual’s right to have their health information protected,and to retain control over it, is also important.

Law and policy

Privacy regulation for health information across Australia consists of a set ofoverlapping, incomplete and sometimes inconsistent federal, state andterritory legislation. The shared intent is to regulate the handling of thissensitive information, and to ensure its protection. However, the multiplicity oflaws and provisions, many very similar but not the same, results in confusionand undue complexity.

Commonwealth, state and territory privacy legislation

At the Commonwealth level, the handling of health information is regulated inthe private sector and Australian Government public sector through thePrivacy Act by the National Privacy Principles (NPPs), the Information PrivacyPrinciples (IPPs) and Public Interests Determinations[34].

Some state and territory jurisdictions[35]have developed privacy legislation fortheir public sectors. Others have administrative arrangements for thispurpose. For example, Queensland has established two administrativestandards for privacy in its public sector (one scheme for health sectoragencies, and one scheme for other government agencies)[36]. Eachjurisdiction’s scheme is slightly different, as are the principles on which theyare based.

For privacy in the private sector, two states (in addition to the ACT, which in2001 already had law covering health services in the private sector) haveenacted law seeking to regulate the handling of health information in theprivate sector. Victoria has enacted the Health Records Act 2001 and inNSW, the Health Records Information Privacy Act 2002 came into force on1 September 2004.[37]These Acts contain similar, though not identical,principles to the NPPs. For example, the Victorian legislation has certainprovisions regarding access to ‘old’ personal health information; there are noequivalent provisions in the NPPs.[38]

Other forms of regulation

Additionally, there are other forms of protection for an individual’s healthinformation. These include ethical and professional codes of conduct adheredto by health professionals, common law obligations of confidence that healthprofessionals must abide by, as well as federal, state and territory statutesabout matters such as public health. Also, the enabling legislation of manyhealth agencies often contains secrecy provisions.

Proposed National Health Privacy Code

At the request of Health Ministers, the National Health Privacy Working Groupof the Australian Health Ministers’ Advisory Council was set up in 2000 todevelop a national framework for health privacy. This proposed frameworkhas become known as the National Health Privacy Code.

After public consultation on the draft code in 2003, a revised version, as wellas draft mandatory guidelines for research, and draft explanatory notes for theuse or disclosure of genetic information, were developed.[39]These documentsare yet to be considered by Health Ministers. The Department of Health &Ageing (99) states this will occur in 2005.

What the submissions say - issues

Problems for health privacy

Submissions overwhelmingly support the conclusion that the existing state ofhealth privacy laws in Australia is unsatisfactory for health service providersand individuals.

Submissions from health services (and organisations representing them) andfrom insurers identify problems raised by this lack of consistency. Aconfidential submission says that health insurers, for example, have gone tothe expense of setting up systems consistent with the private sectorprovisions and then have had to look at separate state and territorylegislation, regulations and guidelines, involving them in more expense. TheInvestment and Financial Services Association Ltd (89) says that theinconsistencies cause a significant compliance burden, resulting in increasedcompliance costs for many of their member organisations. Furthermore,inconsistencies make it difficult for consumers to understand their rights.

The experience of the Office also indicates that this issue represents one ofthe biggest obstacles to effective and consistent national developments in thehealth sector, such as electronic health records systems.

The Australian Law Reform Commission (ALRC) and Australian Health EthicsCommittee (AHEC) considered the need for harmonisation of privacyregulation in the context of protecting genetic information. Their reportrecommended ‘as a matter of high priority’, the development of nationallyconsistent rules for the handling of all health information[40]. This has alsobeen acknowledged in regard to other national initiatives, such asHealthConnect[41].

Obstacles to national consistency

The obstacles to national consistency in health privacy protection aresummarised by the Insurance Council of Australia (59):

Inconsistencies between state and territory legislation and the Privacy Act(federal)

Additional obligations imposed by state and territory legislation, over andabove the Privacy Act

Differences between the various state and territory regimes.

Submissions identify a number of recurring issues which are discussed below.

Compliance issues

A number of submissions noted the additional compliance costs which areincurred by having multiple layers of privacy legislation.

The Australian Compliance Institute (16) submits, in regard to privacyregulation generally, that ‘as each State introduces new legislation, legal costsare incurred in understanding any potential impact’.

In regard to health privacy specifically, the Law Council of Australia (36)states that:

’…increased compliance costs are incurred, particularly byorganisations operating in more than one state or territory, which costswill be passed on to the consumer’.

The Pharmacy Guild of Australia’s (93) submission concurs with this view,noting also that many pharmacies may be small businesses (though they arestill regulated by the Privacy Act because they handle health information andprovide a health service).

A practical problem was identified in a stakeholder forum. A nationalmedication service operating via a call centre must read different statementsto obtain consent depending on the location of the individual (and the law thatapplies in that jurisdiction).

The Insurance Council of Australia (59) notes that these compliance costsmay be incurred by any organisation which handles health information.

Forum shopping

A submission from a not-for-profit organisation (11) notes that ‘…potentialcomplainants/plaintiffs [may] ‘shop around’, to select the most suitablelegalisation to further their case or grievance’.

This view is supported by the Mental Health Privacy Coalition (58) whichstates that:

’…small differences also allow legal practitioners the avenue towardsarguing different aspects of privacy law in different jurisdictional legalsettings, thus creating unnecessary headaches for healthcareproviders’.

Confusion about which law to apply

A number of submissions contest that multiple privacy regimes createconfusion for providers and consumers. Comcare (12) submits that:

‘our assessment is that some health professionals are unsure as towhich privacy regime they are subject to when dealing with informationrelating to people in the Commonwealth jurisdiction’.

However, it also notes that ‘having said that, the incidence of this issue doesseem very low.’

The Mental Health Privacy Coalition (58) submits that ‘a plethora of differentlaws or guidelines tends to confuse the health sector’. The AMA (29) statesthat ‘the mish-mash of privacy and health specific privacy legislation isconfusing to both doctors and their patients’. A number of other submissionsconcur that the current arrangements create confusion[42].

Individuals uncertain about enforcing rights

The Insurance Council of Australia (59) notes that multiple privacy regimesaffect the ability of individuals to exercise their rights, as individuals need tobe aware of the range of bodies to which they may seek recourse.

The Law Council of Australia (36) has expressed the view that “consumersare less likely to be able to clearly understand their rights in any particularsituation and are likely to experience increased difficulty and frustration inenforcing those rights”.

The Australian Nursing Federation (ANF) (127) has submitted that there isconsumer uncertainty about their rights, at least partly due to the exemptionsin the Privacy Act, particularly the small business exemption, the employeerecords exemption and the journalism exemption.

In addition, the ANF (127) also holds that ‘general confusion exists regardingcomplaints processes’. Other submissions concluded also that multipleprivacy regimes contribute to consumer uncertainty, as consumers may beunsure which regulator to complain to, and which law applies to their matter[43].

A confidential submission refers to the ‘inequitable’ situation where individualsin some states can access their health information regardless of its collectiondate, but others can access only information collected after 21 December2001 (the commencement date of the private sector provisions).

The Royal District Nursing Service of Melbourne (78) submits that while thereappears to be adequate awareness of privacy rights in the generalcommunity, there ‘…is some difficulty in the awareness or understanding ofthe elderly’.

Options for reform

Adoption of the proposed National Health Privacy Code

Submissions support the work of the National Health Privacy Working Groupin developing the proposed National Health Privacy Code. Adoption of thecode by all jurisdictions would promote national consistency in the handling ofhealth information.

The success of a national code will depend critically upon how it isimplemented. Achieving consistency would involve all jurisdictionsimplementing the code unamended and in the same manner.

Therefore, one option is for each jurisdiction to incorporate the agreed code,as is, within its laws. The manner for legislatively enabling the code wouldalso need to be the same in each jurisdiction.

Code to be adopted as a Schedule to the Privacy Act

For the Australian Government jurisdiction, the code could become aSchedule to the Privacy Act. The Schedule would apply the code to thosebodies already within the jurisdiction of this legislation and that handle healthinformation; that is, many Australian Government agencies and a range ofprivate sector organisations.

This step could occur whether or not all jurisdictions adopt the proposed code.However, it is preferable that this step by the Australian Government ismirrored by each jurisdiction.

The need to ensure that the code is reflected in the Privacy Act is noted bythe Victorian Health Services Commissioner (27). Similarly, the NationalHealth and Medical Research Council (32) recommends that ‘a single,simplified national health privacy regulatory scheme’ (that is, the code) shouldreplace and not supplement existing regulatory arrangements. The AustralianNursing Federation (127) highlights the importance of consistency betweenthe Privacy Act and the code, and looks forward to a national regulatoryframework that incorporates ‘a national process for [addressing] complaintsand breaches’.

Once the code is adopted into the Privacy Act (particularly if as a schedule),the Australian Government could seek agreement from all jurisdictions for anysubsequent regulatory measures in this area by them to be consistent withthese provisions.

The code, as established through the Privacy Act, could become the de factonational standard for health privacy. If agreed, all other jurisdictions would beexpected to adhere to this standard. Through this approach, the AustralianGovernment would provide national leadership in this complex area.Success, however, again depends upon agreement by all jurisdictions.

Code to be adopted by amending the NPPs

Similar to the previous option, whether or not all jurisdictions adopt the code inthe same way, the NPPs in the Privacy Act could be amended to ensureconsistent privacy protection for Australian Government agencies and privatesector organisations that handle health information. The NPPs would beamended to incorporate the provisions of the code.

This approach would entail one set of privacy principles to regulate thehandling of health information. These principles would be based on theNPPs, and include the provisions of the code. This would go some waytoward addressing broader national consistency issues identified in thisreport; such as the differences between the IPPs and the NPPs.

However, the resulting principles would be longer and more complex. Thisoption would require the insertion of multiple sub-principles and exceptions tothe NPPs to take account of the code.

This approach would run counter to the intent of delivering general, high-levelprinciples for all business and government sectors. For instance, theapproach would mean that non-health organisations and agencies wouldneed to deal with a more complex set of privacy principles, where much of thecontent may not apply to them. This would not improve, and may evenincrease, regulatory complexity overall.

Stakeholder awareness and education

If national consistency is pursued by legislative or regulatory intervention, andwhether or not it is fully achieved, substantial awareness and educationprogrammes could be developed to explain how the various privacy regimesinteract.

This approach would involve providing awareness and education forconsumers, providers and other stakeholders about the roles of the variousschemes, the differences between them, and how to assert rights or to complywith obligations. The approach could reduce perceived uncertaintiessurrounding which laws apply to various organisations and agencies,including which complaint handling arrangements would operate. It wouldseek to assist stakeholders to work their way through the multiple andinteracting privacy schemes.

This is likely to be resource intensive, not only for the Office and those in theAustralian Government jurisdiction, but for state and territory agencies withregulatory and education/awareness responsibilities, and for private sectorprofessional entities. It would not resolve national consistency issues (or thelack thereof) at law, nor would it create assurances about how health privacylaws interact.

2.6 Recommendations: Health Consistency

12. The Office urges the National Health Ministers’ Council to finalise theNational Health Privacy Code. This should include agreement by alljurisdictions on the contents of the code and on its consistentimplementation in each jurisdiction.

13. The Australian Government should consider adopting the NationalHealth Privacy Code as a schedule to the Privacy Act. This wouldrecognise the Australian Government’s part in the consistent enablingof the Code. Should agreement not be reached by all jurisdictionsabout implementing the Code, the Australian Government should stillconsider adopting the code as a schedule to the Act to provide greaterconsistency of regulation for the handling of health information byAustralian Government agencies and the private sector. (See alsorecommendations 29, 33 and 35.)

2.7 Residential tenancy databases

What are residential tenancy databases?

Residential tenancy databases are privately owned electronic databases thatcontain information on the tenancy history of tenants. Property managers andlandlords use them to assist in assessing risk and identifying potentialproblem tenants during the rental application process. Most propertymanagers and real estate agents routinely subscribe to at least one tenancydatabase to screen prospective tenants. There do not appear to be industrystandards or codes of practice which apply to them.

Application of the Privacy Act

The Privacy Act applies to tenancy databases with an annual turnover of morethan $3 million. They also apply to tenancy databases with a turnover of $3million or less, despite the small business exemption, because they trade inpersonal information. If, however, a tenancy database that is a smallbusiness, gains consent for the collection or disclosure of an individual’spersonal information, then the Privacy Act does not apply.

Issues

There is a wide range of concerns about how tenancy databases operate.This section of the report is not concerned with the substantive issues. It isconcerned only with the national consistency issues.

Tenancy databases are regulated by the Privacy Act and state and territoryprivacy legislation, including specific legislation regulating tenancy databasesin some jurisdictions. Queensland and New South Wales have introducedlegislation to prescribe listing and notification practices, and dispute resolutionframeworks, and the ACT has foreshadowed similar legislation.

The Real Estate Institute Australia (13) draws attention to the lack ofconsistency in the various legislation, federal and state and territory, relatingto tenancy databases. As this impacts negatively on consumers andbusiness, the Institute suggests that a nationally consistent framework, withguidelines, should be developed for the operation of tenancy databases.

Options for reform

Australian Government could regulate tenancy databases

Tenancy databases operate nationally. The issues addressed by state andterritory legislation are not confined to those states and territories, but arenational. A patchwork of legislation is emerging and adding to the lack ofnational consistency in privacy protection. The Australian Government couldregulate residential tenancy databases.

Commissioner could make a binding code

Earlier in this chapter, the Report recommends that the AustralianGovernment should consider amending the Privacy Act to give the PrivacyCommissioner a power to make binding codes. One of the policy reasons fordoing so is that there may be some business activities that give rise to issuesthat demand a regulatory response on a national basis. In the absence offederal legislation or uniform, or at least consistent, state and territorylegislation, and assuming that the Australian Government amends the Act inaccordance with the recommendation, the Privacy Commissioner could makea binding code to apply to residential tenancy databases.

MCCA/SCAG process

In August 2003, the Ministerial Council on Consumer Affairs (MCCA) and theStanding Committee of Attorneys-General (SCAG) agreed to establish a jointworking party to consider residential tenancy databases. The Office isrepresented on the working party, which is chaired by the Attorney-General’sDepartment of the Australian Government. The working party intends toreport to MCCA and SCAG by the middle of 2005. The AustralianGovernment could make this process a matter of high priority.

2.8 Recommendations: Residential tenancydatabases

14. The Australian Government should advance as a high priority the workcurrently being undertaken by the Working Group on ResidentialTenancy Databases of the Ministerial Council on ConsumerAffairs/Standing Committee of Attorneys-General.

15. The Australian Government should consider, depending on theoutcome of the Ministerial Council on Consumer Affairs/StandingCommittee of Attorneys-General, making the Privacy Act apply to allresidential tenancy databases. This could be done by using theexisting power under section 6E to prescribe them by regulation, or byamending the consent provisions (section 6D(7) and section 6D(8))that apply to the small business exemption. (See recommendation 53.)

16. If the Privacy Act is amended to provide for a power to make a bindingcode, (see recommendation 7), and depending on the outcome of theMinisterial Council on Consumer Affairs/Standing Committee ofAttorneys-General, the Privacy Commissioner could make a bindingcode that applies to tenancy databases.

3 International issues and obligations

3.1 EU Adequacy and APEC

Law and Policy

EU adequacy a driver of the legislation

An object of the private sector provisions was to ensure that Australia wouldbe able to meet international obligations and not be disadvantaged in theglobal information market. The provisions aimed to provide adequate privacysafeguards to facilitate further trade with the European Union (EU). In theabsence of the new provisions, the Explanatory Memorandum stated:

‘there are serious questions surrounding the ability of Australia to meetthe requirements for continued trade with EU members under theEuropean Union Directive on the Protection of Individuals with regardto the Processing of Personal Data and onthe Free Movement of SuchData’[44].

Privacy Act is not yet EU ‘adequate’

Negotiations with the European Commission regarding the adequacy of thePrivacy Act in meeting the EU Directive have been continuing. Theamendments to the Privacy Act in April 2004 were a result of thesediscussions[45]. These amendments to the legislation make it clear that theprotection provided by NPP 9, which regulates transborder data flows, appliesequally to the personal information of individuals who are Australian and thosewho are not. They remove the nationality and residency limitations on thepower of the Privacy Commissioner to investigate complaints relating to thecorrection of personal information. They also give businesses and industriesgreater flexibility in developing privacy codes by allowing the codes to coverotherwise exempt acts and practices where the authors of the code wish to doso. However, there are ongoing discussions with the European Commissionregarding the small business and employee records exemptions from thePrivacy Act.

The EU has not granted Australia ‘adequacy status’ regarding the EUDirective nor has it stated that Australia’s privacy regime is inadequate. Atthis stage, the EU has declared Switzerland, Canada, Argentina, Guernsey,Isle of Man, the US Department of Commerce's Safe Harbour PrivacyPrinciples, and the transfer of Air Passenger Name Record to the UnitedStates' Bureau of Customs and Border Protection as providing ‘adequate’privacy protection.

Asia-Pacific Economic Cooperation (APEC) framework

The endorsement of the APEC Privacy Framework by APEC Ministers inNovember 2004 means that APEC countries, including Australia, need tomake sure that their privacy regimes meet a new set of internationalobligations. The APEC privacy framework has a number of aims includingpromoting electronic commerce, providing guidance to APEC economies andhelping to address common privacy issues for business and consumers in theregion. The initiative has the potential to accelerate the development ofinformation privacy schemes in the APEC region and to assist in theharmonisation of standards across national jurisdictions.

The APEC framework, like the NPPs, was designed to be consistent with thecore values of the Organisation for Economic Cooperation and Development’s(OECD) 1980 Privacy Guidelines[46]. The APEC Principles cover areas suchas notice, collection, use and disclosure, choice, integrity of personalinformation, security safeguards, access and correction and accountability.APEC will continue making decisions about the implementation of the APECprinciples during 2005.

Issues

The issues paper noted that it was not clear whether organisations are findingthat their commercial activities are impeded by the private sector provisions intheir current form. It raised issues such as whether the private sectorprovisions are working for businesses in relation to their global operations andwhether they will work in the future and what strategies businesses are usingto deal with any issues that are arising, for example, using contractualprovisions.

What submissions say - issues

Lack of EU adequacy has not inhibited trade

One submission (confidential) says the Privacy Act does not seem to resolvethe question of whether privacy laws meet the standards of internationalobligations. Nevertheless, only a very small proportion of the submissionsthat the Office received from stakeholders[47]and few of the comments made inconsultation meetings indicate that the failure to achieve EU adequacy hasimpaired business and trade with European organisations. One confidentialsubmission, for example, raised concerns that Australian organisations areunable to state that their privacy policies actually meet contractual obligationsof international agreements. On the other hand, the Australian DirectMarketing Association (67) states:

‘it is clear that although Australia’s privacy regime has not beenrecognised as ‘adequate’ for the purposes of the EU this has nothindered organisations’ ability to conduct business with Europeancounterparts’[48].

The Australian Bankers Association (70) and the Investment and FinancialServices Association Ltd (89) call for the Privacy Commissioner to press forEU adequacy.

3.2 Recommendation: EU ‘adequacy’ andAPEC

17. There is no evidence of a broad business push for ‘adequacy’. Giventhe increasing globalisation of information, however, there may be longterm benefits for Australia in achieving EU ‘adequacy’. Certainly theglobalisation of information makes the implementation of frameworkssuch as APEC important. The Australian Government should continueto work with the European Union on the ‘adequacy’ of the Privacy Actand to continue work within APEC to implement the APEC PrivacyFramework.

3.3 NPP 9

Law and policy

The operation of NPP 9 is an important aspect of the global operation of theprivate sector provisions. NPP 9 outlines the circumstances in which anorganisation can transfer personal information it holds to other countries. Thisprinciple is based on the restrictions on international transfers of personalinformation set out in the European Union Directive 95/46.

In its simplest terms, NPP 9 prevents an organisation from disclosing personalinformation to someone in a foreign country that is not subject to acomparable information privacy scheme, except where it has the individual'sconsent or some other circumstances apply including where:

the transfer is for the benefit of the individual and the organisation canshow grounds for a belief that if it were practicable to obtain consent theindividual would be likely to give it or

the transfer is necessary for the conclusion or performance of a contractconcluded in the interest of the individual between the organisation and athird party.

NPP 9 does not prevent transfers of personal information outside Australia byan organisation to another part of the same organisation, or to the individualconcerned. On the other hand, a company transferring personal informationoverseas to a related company must comply with NPP 9.

Issues

The issues paper noted that it is not clear how easy or otherwiseorganisations are finding it to work with the provisions of NPP 9 whentransferring information, or the extent to which organisations are complyingwith NPP 9.

What submissions say – issues

Related companies

The Law Council of Australia (36) and the Investment and Financial ServicesAssociation Ltd (89) call for clarification in the way NPP 9 and section 13B(1)operate together. These submissions argue that it is not clear whethersection 13B(1) enables a body corporate in Australia to transfer personalinformation to a related body corporate located outside of Australia withoutreference to NPP 9. One confidential submission states that transfer betweenrelated companies should not require additional consent.

Establishing a law is substantially similar

Comments made during the consultation process indicate that there are anumber of problems faced by organisations in respect to NPP 9. Manystakeholders express frustration at the fact that there is a lack of guidanceregarding the countries whose regimes provide adequate protectionequivalent to the NPPs[49]. In this situation the onus is on the organisation toassess the regime of the country in which their trading partner resides. Manystakeholders, especially small businesses, have criticised the efficiency of thissystem arguing that they neither have the expertise or the resources toassess a foreign country’s privacy laws.

Contract

From submissions and the comments received during stakeholder workshops,it appears that organisations are fulfilling their NPP 9 obligations of ensuringthat personal information is protected when it is transferred to regions withoutprivacy regimes through contractual arrangements with their tradingpartners[50]. While some submissions find this to be an effective solution[51],others are concerned about the costs associated with monitoring thecompliance of their trading partners[52].

Other Issues

During stakeholder consultations, many consumers expressed concernsabout overseas call centres[53]. The recent growth of international call centreshas also attracted some attention in the media. The transfer of personalinformation overseas brings with it a perceived loss of privacy and control.

What submissions say – addressing the issues

Publish a list of countries with adequate privacy regimes

It has been suggested during consultations that the Privacy Commissionershould publish a list of countries found to have adequate privacy regimes[54].Coles Myer Ltd (60) argues that publishing such a list would require theCommissioner to review and rate laws and governmental directives beyondprivacy legislation which would need to be constantly updated. Coles MyerLtd (60) does not recommend the Commissioner’s resources be used onNPP 9.

Greater guidance

Some submissions suggest that the Office could provide greater guidancethrough publishing approved standard contracts to be signed by Australiancompanies and international trading partners which include provisions thatprotect information collected in Australia when it is transferred toorganisations overseas[55]. The Australian Direct Marketing Association (67)states that an information sheet outlining the issues that should be addressedas part of a contractual agreement would also be beneficial.

Require notice that information sent overseas

Electronic Frontiers Australia (51) argues that the NPPs should be amendedto require organisations give individuals notice that their information will besent to a foreign country and that the individual will be required to deal withcall centres located in a foreign country. Electronic Frontiers Australia (51)also supports requiring organisations to notify individuals of the means bywhich the Australian organisation has ensured their personal information willbe adequately protected, unless the overseas organisation is subject tosubstantially similar privacy laws or the individual has consented to thetransfer.

Options for reform

Exclude related companies from complying with NPP 9

Disclosure of personal information about an individual by a body corporate toa related body corporate is not ‘an interference with the privacy of anindividual’ under section 13B(1)(b). Section 13B relates to the purposes forwhich information can be disclosed. NPP 9 on the other hand relates towhether or not information can be sent overseas. As section 13B(1)(b)enables disclosure of information, compliance with NPP 9 for transfers ofinformation to a foreign country is still required.

If a company has an organisational link with Australia under section 5B, theextra-territorial provisions in the Privacy Act will apply. Therefore, if personalinformation is sent overseas to the same company, it will continue to beprotected by the Privacy Act because the extra-territorial provisions apply.Section 5B does not appear to apply to related entities outside of Australia.As such, if information is sent to a related company, it may not be protectedby the Privacy Act.

Where information is transferred outside of Australia and the extraterritorialprovisions do not apply, it is in the public interest that NPP 9 applies. NPP 9ensures that once the information is transferred, it will be treated in a way thatis consistent with Australian privacy laws, or in a way in which the individualconsents. The Office does not recommend excluding related corporationsfrom NPP 9.

Publish a list of countries with substantially similar laws

Publishing a list of countries with substantially similar privacy laws would giveorganisations that transfer information overseas certainty about the countriesto which they can safely transfer information. Establishing whether laws aresubstantially similar is, however, a very complex task. It would requireconsiderable resources and would have implications for our relationships withother countries. It is not clear that this is an appropriate role for the Office.

Publish standard contractual provisions

The Office could provide greater guidance through publishing approvedstandard contractual provisions for use by Australian companies andinternational trading partners. These contractual provisions could provide forhow the international company must protect information when the informationcollected in Australia is transferred to organisations overseas. The EU hasissued contract provisions. Developing standard contractual provisions wouldhave resource implications for the Office.

Provide greater guidance through information sheet

The Office could provide greater guidance through publishing an informationsheet that outlines the types of issues that should be addressed as part of acontractual agreement and how to more easily assess whether a privacyregime is substantially similar. Although still resource intensive, this may be amore practical approach to take than issuing standard contractual provisions.

3.4 Recommendation: NPP 9

18. The Office will provide further guidance to assist organisations complywith NPP 9 by issuing an information sheet outlining the issues thatshould be addressed as part of a contractual agreement and how tomore easily assess whether a privacy regime is substantially similar.

4 Protecting individual’s right to privacy

4.1 Control over personal information

Law and policy

The NPPs reflect the policy that an individual should generally know whatpersonal information an organisation has about him or her and how it intendsto use it. The organisation must not collect information unless it is necessaryfor one or more of its functions or activities (NPP 1). Whether the informationis collected directly from the individual or indirectly from a third party, theorganisation should ‘take reasonable steps’ to tell the individual, among otherthings, the purposes for which the information was collected, to whom theorganisation usually discloses such information and the consequences of notproviding it (NPP 1.3 and NPP1.5).

Generally speaking, the organisation cannot use or disclose the informationfor a purpose other than that for which it was collected (a secondary purpose)unless:

the purpose is related (or directly related if the information is sensitiveinformation) to the primary purpose and the individual would reasonablyexpect the organisation to use it for such a purpose or

the individual has consented to the use or disclosure (NPP 2.1).

The NPPs apply to the collection of personal information for inclusion in agenerally available publication, such as a telephone directory. They do notapply, however, once the information has been collected.

Possible topics for submissions

collection practices that limit an individual’s control over his or her personalinformation

extent to which current practices are essential to business efficiency thatoutweighs the impact on individual privacy interests

effectiveness of NPPs in ensuring consent to use and disclosure ofpersonal information, where required, is real and voluntary, or if notpossible, measures needed to compensate for not having a chance to givereal consent

extent to which it should be possible for individuals to consent to unrelatedsecondary purposes

issues arising in relation to the private sector provisions and personalinformation that is publicly available and

ways of overcoming any issues that arise on this topic.

Information collected indirectly

The issues paper noted that it may be more difficult to ensure the individual isaware of the matters listed in NPP 1.3 and NPP 1.5 when the organisationcollects personal information indirectly. It acknowledged that in some casesit may be ‘reasonable’ to make less effort to give people NPP 1.3 informationthan it would otherwise be, or even to do nothing at all.

If the individual is not informed, however, he or she may have lost the controlover personal information that the NPPs intended individuals should generallyhave. Information given to one organisation (compulsorily in the case ofsome publicly available information) may be used by another organisation fora completely different purpose without the individual’s knowledge.

Bundled consent

The issues paper noted that the NPPs do not specifically requireorganisations to get an individual’s consent to collect personal information(except sensitive information). An organisation can use and disclosepersonal information without consent as long as the use or disclosure is forthe main purpose of collection, or a related (or directly related in the case ofsensitive information) purpose and is within the individual’s reasonableexpectations. Generally speaking, an organisation need only get anindividual’s consent for uses and disclosures of personal information that arefor unrelated secondary purposes[56].

The issues paper focussed on bundled consent, that is, the bundling togetherof consent to a wide range of uses and disclosures of personal informationwithout giving the individual an opportunity to choose which uses anddisclosures they agree to and which they do not, often sought as part of theterms and conditions of a service.

Community attitudes survey

The Office commissioned research into community attitudes towards privacyin 2001 and 2004[57]. Community Attitudes Towards Privacy 2004, reports thatwhile the quality of a product or service was rated as the most importantelement of customer service by respondents, respect for and protection ofpersonal information was rated almost as highly.

The survey also reports that privacy policies are not necessarily being read,partly due to the length and complexity of the information. Respondents wereasked what aspects of privacy policy are most important to be included in ashort privacy notice. The order of importance is:

how the information will be used (47%)

if and when the organisation will pass on my information (15%)

what information will be kept (15%)

how to prevent being contacted for marketing purposes (12%)

how to access or change my information (6%)

can’t say (4%).

What submissions say - issues

Collection practices

Submissions raise a number of issues arising from the collection of personalinformation. In the view of the Australian Privacy Foundation (90), there iswidespread non-compliance with the requirements of NPP 1.3 and NPP1.5,which will not be likely to be exposed by complaints. Nevertheless, it issatisfied with the qualification that an organisation take ‘reasonable steps’ toensure that the individual is aware of the matters listed in NPP 1.3.

An organisation’s functions or activities

NPP 1.1 limits the collection of personal information by an organisation to thatnecessary for its ‘functions or activities’. The organisation itself, however,determines what its functions and activities are and the limitation on thecollection of information may be seen to be illusory.

A number of participants in stakeholder forums raised the issue of thecollection of unnecessary personal information. It was said, for example:

when real estate agents collect personal information from tenants, thetenant has little choice but to give the agent the information, otherwise theagent may not deal with them

there are problems with the extent of health information sought as part ofpre-employment checks

insurers also sometimes seek more information than seems to benecessary and

a charity organisation said it could not afford to oppose a subpoenademanding access to its files.

Privacy notices

It was suggested that some NPP 1.3 and 1.5 notices are unhelpful andconfusing and probably do more harm than good in terms of public awarenessand understanding. The Law Council of Australia (36) notes that a practicehas emerged of organisations providing lengthy privacy collection notices. Itbelieves organisations are trying to address the criteria required by NPP 1.3and to put individuals on notice as to what uses and disclosures they mightreasonably expect. As a result, it says, consumers are confused.

Electronic Frontiers Australia Inc (51) expresses concern about the practice ofincluding NPP 1.3 information in privacy policies that are subject to changewithout notice and often are not dated. It provides examples of such notices,including:

[Mobile phone company] reserves the right to change this PrivacyPolicy at any time and notify you by posting an updated version of thePolicy on its web site. The amended Privacy Policy will apply betweenus whether or not we have given you specific notice of any change.We encourage you to review this Privacy Policy periodically because itmay change from time to time.

Confusion about who should notify

Another issue is the question of who should be responsible for notifying theindividual when personal information is rented or sold by one organisation toanother: the organisation that collected the information in the first place, or theorganisation to whom it has been sold for use. Australia Post (109) and twoconfidential submissions address this issue.

Indirect collection

Finally, the Australian Consumers Association (15) raises the issue of indirectcollection. It is concerned that an individual has no control when personalinformation is collected indirectly. The collector may collect the informationfor a primary purpose quite unrelated to the individual’s expectations when heor she handed over the information in the first place:

‘Many of the ‘protections’ in the Act revolve around the control ofsecondary uses of personal information. However indirect collectioncan have a primary purpose unrelated to the consumers’ expectationswhen the data was originally given up – and hence the data ismagically transmuted into information the use and possession of whichat best the consumer can expect to be informed in retrospect.’

Bundled consent – consumer viewpoint

Most submissions that address the issue of consent discuss bundled consent.The submissions fall into two categories. Submissions from consumergroups are highly critical of the practice of bundling consent. Submissionsfrom business organisations say why it is necessary.

‘Bundled consent’ refers to the practice of bundling together consent to a widerange of uses and disclosures of personal information without givingindividuals an opportunity to choose which uses and disclosures they agree toand which they do not. Many submissions address the issue. Submissionsfrom consumer groups criticise the practice.

The Australian Consumers’ Association (15) describes it as ‘where consent issought too broadly for the consent to have any real controlling influence onthe relationship the consumer has with the business.’ Xamax ConsultancyPty Ltd (3) says that it totally undermines the requirement that consent bemeaningful, informed and freely given.

In the view of Electronic Frontiers Australia Inc. (51), individuals cannot givefree and informed consent when they are presented only with broad and/orvague statements concerning possible uses and disclosures, and/or told thatservices will not be provided if they do not ‘consent’ to the bundle.

The Consumer Credit Legal Centre’s (62) submission includes a case studyhighlighting a credit contract which included the statement:

‘I hereby authorise [Finance Corp] or their agents or employees todiscuss any information about my account with anyone (emphasisadded).’

Some insurers insist members sign a release form allowing the insurer toaccess any of their records at any time for any reason. The AustralianPhysiotherapy Association (37) says that this is inappropriate for sensitivehealth information. It also identifies another unacceptable practice, namelythe use of bundled consent by third party insurers to obtain information,sometimes years after the treatment.

The Australian Communications Authority (94) is concerned that individualsare not given the opportunity to consent to some uses and not to others. Itsays that denial of service is common and that organisations also bundle thereceipt of commercial electronic messages from the organisation itself orothers with delivery of service or membership arrangements. It is not, in itsview, good practice to make provision of a service or other benefitsconditional on consent to receive commercial electronic messages.

The Australian Privacy Foundation (90) distinguishes between bundlingconsent to use or disclosure for a variety of purposes, which may bereasonable in some circumstances, and making consent for a non-essentialsecondary purpose a condition of doing business, which is not.

Bundled consent – business viewpoint

Many submissions from business, in particular the finance andtelecommunications industries, outline the reasons why it is often necessaryto bundle consent. Submissions from the health sector also address thisissue.

Telecommunications

Both Virgin Mobile (Australia) Pty Ltd (26) and Vodafone Australia Ltd (112)state that obtaining consent for each specific use of an individual’s personalinformation would significantly increase the complexity and the costs ofcompliance. Virgin says that these costs would inevitably be passed on toconsumers. Furthermore, says Vodafone, unbundling consent would result inan undesirable customer experience for both consumers and suppliersbecause of the increased volume and frequency of communications thatwould be necessary to achieve the same result that bundled consent achievesmore efficiently.

Finance

Submissions from the finance industry explain why, in the industry’s view,bundling consent is necessary. The Australian Finance Conference (AFC)(63) states that bundled consents have arisen because the meaning of‘primary purpose’ is uncertain. ‘Primary purpose’ can be interpreted narrowlyor broadly. When a customer submits an application for finance, it asks, isthe processing of the application the primary purpose of collection, or is it,more broadly, the provision of finance. If the latter, it would include, inaddition to processing the application, managing the account, administeringinsurance claims, recovering money owed and maintaining the value of theasset. The Investment and Financial Services Association Ltd (89) makes asimilar point. Both submissions state that to require individual consents foreach process would be very costly. In the view of the AFC (63):

‘It was not Parliament’s intention that a financier should be obliged toseparately identify each of these uses and provide the individual withthe option of selecting which of them he or she consents to . While acomputer program could be designed to implement this the cost wouldbe prohibitive and the daily management of customer choices virtuallyimpossible.’

The AFC (63), the Australian Bankers Association (70) and SuncorpMetwayLtd (35) identify other reasons relevant to the issue of bundled consent in thefinance industry. For example, the banker’s duty of confidentiality and motorvehicle licensing and registration may require a disclosure notification beyondthat required by the Privacy Act. Banks outsource many of their functions toservice providers, many of whom are offshore, and if a customer failed toconsent to the disclosure of their information to the service provider it wouldbe unlikely that the organisation could provide a service to the customer.Finally, they say customers have extensive freedom and choice of productand provider in the finance sector.

Doctors

The Australian Medical Association Ltd (29) states that doctors will continue tobundle consent as long as the primary purpose for collecting personalinformation in NPP 2 is taken to relate to an episode of care. If, on the otherhand, primary purpose were the health and well being of the patient thenthere would be no need for doctors to bundle a series of consents. Inaddition, in the view of the Department of Health, South Australia (53) it isimpractical not to have bundled consent in the context of existing electronicarchitecture and general medical practices, and that it is impractical to make adecision in one sector (for example, the private health sector) because it willinevitably affect the other because of the interconnectedness of the public andprivate medical sectors.

Residential tenancy databases

Residential tenancy databases are a particular case. Many real estate agentsuse tenancy databases to help them decide whether or not to let a property toa particular person. When applying to rent a property a prospective tenant willbe expected to provide personal information for disclosure to a tenancydatabase. He or she has little choice but to consent. The Tenants’ Union ofQueensland (69) says:

‘Through one signature, individuals’ consent is gained for a range ofmatters, and without this they will be denied the tenancy. By gainingthis consent, the collecting organisation has a greater ability to use anddisclose the information. The uneven bargaining power meansconsumers have little or no power to resist the invasion of privacy andare pressured to consent to a range of things they may not really agreewith’.

The Tenants’ Union ACT (87) agrees. It believes that, because of thispractice, a prospective tenant has no real choice about handing over theirpersonal information, so the protection that would otherwise be provided bythe NPPs is lost to them, that is, the NPPs do not work.

At recommendation 7, this report suggests that the Australian Governmentshould consider amending the Privacy Act to provide for a power to make abinding code. It also recommends that, assuming the Act is amended, theCommissioner could make a binding code that applies to tenancy databases.(See recommendation 16 in Residential Tenancy Databases section.)

Publicly available information

Many people are uncomfortable with the notion that publicly availableinformation, including the electoral roll and the white pages, can be used forpurposes other than those for which the information was collected. In thesurvey, Community Attitudes towards Privacy 2004, commissioned by theOffice, for example, 77% of respondents thought that the electoral roll shouldnot be used for direct marketing and 46% thought that the white pages shouldnot be. The issue is more critical as technological developments make iteasier to manipulate the material, for example, by reverse sorting it to identifya person’s address from their telephone number.

Submissions are divided as to whether or not publicly available personalinformation should be subject to the NPPs. Some, for example, Xamax (3)say that publicly available information should be used only for the purpose forwhich it was collected. The Australian Privacy Foundation (APF) (90) urgesthe reconsideration of the breadth of the exemption of publicly availableinformation from the operation of the NPPs, other than the collectionprinciples.

The Australian Communications Authority (94) states that the use of publiclyavailable information should be conditional so that ‘it is not automaticallyassumed an individual agrees to it being used for a myriad of purposes simplyas a result of it being readily available’.

Charities are of the opinion that access to generally available information isnecessary in order to raise funds. According to the Cerebral Palsy League ofQueensland (44), ‘access to publicly listed information is the key to thesurvival of many organisations’. Not having access would limit its ability toraise funds and to assist in providing services to people with cerebral palsy[58].

Some businesses use publicly available personal information to cleanse theirdata. Coles Myer (60) is concerned that access to public registers isdiminishing as they are ‘a valuable tool to ensure data quality and accuracyobligations under the Privacy Act are met.’[59]In the view of the AustralianDirect Marketing Association (ADMA) (67), the industry would struggle tomaintain current levels of accuracy without publicly available information,which it regards as an ‘essential updating and validation tool’.

For members of the Australian Finance Conference (63), it is imperative to beable to continue to collect personal information from public sources to verifyobjectively the identity of an applicant for finance and his or her assetholdings, and to confirm capacity to repay. They believe also that access topublic sources is essential to meet their obligations under NPP3.

The Australian Institute of Private Detectives (38) and the Institute ofMercantile Agents, the Australian Collectors Association and the AustralianInstitute of Credit Management (115) argue in favour of the continuedavailability of publicly available information to enable them to carry out theirinvestigative and debt collecting functions.

Finally, some submissions want no change to the existing law. Australia Post(109), for example, believes that any proposal to review the collection and useof publicly available personal information is unnecessary. Similarly, theVictorian Automobile Chamber of Commerce (113), whose members usepublicly available personal information, among other sources, to identifypotential customers, would oppose any proposal to prohibit or limit its use.

What submissions say – addressing the issues

Short form privacy notices

One of the consequences of the requirements of NPP 5 (Openness) andNPPs 1.3 and 1.5 is that privacy notices are often very long. In the view ofAustralia Post (109), the obligations imposed on organisations by NPP 5,particularly NPP 5.1 have had the positive effect of creating privacyawareness in the community.

The Law Council of Australia (36) supports the move by the Data Protectionand Privacy Authorities internationally to develop a condensed or shortprivacy notice. Furthermore, it considers that organisations should not berequired to include information which is obvious to the ordinary consumer in aprivacy collection notice. The need for short privacy notices was also raised inconsultations. On the other hand the Investment and Financial ServicesAssociation (89) says that although disclosure documents issued by itsmembers may appear lengthy they contain detailed information assistingconsumers to understand their rights.

Office should give more guidance

The Australian Privacy Foundation (90) suggests that further guidance fromthe Office as to what constitutes an acceptable NPP 1.3 or NPP 1.5 notice, orwhat does not, would be helpful. It also suggests the Office could play a rolein improving the intelligibility and clarity of notices. It suggests the Officeshould become much more proactive in issuing template notices for differentsectors and that these should be developed in consultation with industrybodies and relevant non- government organisations.

Stricter regulation of privacy notices

Electronic Frontiers (51) suggests that privacy policies containing NPP 1.3and NPP 1.5 information should have to include the date of issue andchanges made since the earlier version should have to be highlighted ornoted. It also suggests that changes to NPP 1.3 and NPP 1.5 informationinvolving new uses or disclosures should not be able to apply to previouslycollected information, unless the organisation has directly notified theindividual concerned of the changes and provided an opportunity to opt-out ofthe new uses or disclosures, or to terminate the relationship with theorganisation without detriment.

Finally, Electronic Frontiers (51) suggests an organisation should not be ableto rely on NPP 2.1 to use or disclose an individual’s personal information,unless the information in the NPP 1.3 or NPP 1.5 notice is specific enough toenable the individual to give free and informed consent, or to make aninformed choice about whether to provide the information. A confidentialsubmission also states that the notification requirements should bestrengthened in the context of the transfer of health information withinmultidisciplinary teams.

Onus should be on supplier of personal information

A confidential submission states that list brokers and telecommunicationscompanies that supply lists to other organisations should be required toensure that their list collection and generation processes are compliant withNPP 1.3 and NPP 1.5 to reduce complaints to the organisations using thelists.

Limit collection

The Australian Privacy Foundation (APF) (90) suggests that, unless NPP 1.1requires an objective test of what is necessary for an organisation’s functionsor activities, that is, that the organisation cannot determine for itself whetheror not information is necessary. It says NPP 1.1 should be amended to makeit clear that compliance can legitimately be challenged by a third party,particularly by the person whose information is being collected.

APF (90) goes on to say that there should also be a proportionalityrequirement, that is, the type and amount of personal information collectedshould be no more than is required for the collector’s primary purpose.Consideration should also be given to including a provision that collectionshould be allowed ‘only for purposes that a reasonable person would considerare appropriate in the circumstances’[60].

The Australian Retailers’ Association (111) recommends that the collection ofpersonal information for the purpose of making refunds should be explicitlyallowed under the Act. This is because, it says, the ability to collect personalinformation when making a refund provides some degree of protection againsta possible fraud where the goods have been stolen and exchanged for cash.

The Privacy Law Consulting Network (66) suggests that, in the light of thejudgment in a case decided in 2004[61], it would be desirable to define thephrase ‘functions or activities’ to provide more certainty for business.

Publicly available personal information

The Australian Finance Conference (63) recommends that the definition ofpersonal information be amended to exclude information obtained from publicsources and unsolicited information.

Options for reform

Amend NPP 1.1

NPP 1.1 limits the collection of personal information to that necessary for its‘functions or activities’. This limitation could be strengthened by making thetest of what is necessary for an organisation’s functions of activities anobjective one. The organisation itself would not be the judge of whatinformation is necessary. NPP 1.1 could be amended to make the test anobjective one. This would make it possible for an individual to challenge thecollection of particular information. However, in practice it would be difficult toimplement. Furthermore, it is not likely that the benefits of doing so wouldoutweigh the costs.

Amend NPP 5.1

NPP 5.1 requires an organisation to set out in a document clearly expressedpolicies on its management of personal information. It is, however, somewhatvague about what it requires organisations to do. Short form notices wouldimprove the quality of an organisation’s communication with its customers.NPP 5.1 could be amended to clarify the openness obligation.

Privacy notices could be dated

Privacy notices are often not dated. This makes it difficult for consumers toestablish exactly what he or she was told, or agreed to, at a particular time.Privacy notices could be dated as a matter of ‘best practice’, and the Officecould publish an advice to that effect.

Develop short form privacy notices

Privacy notices have become very long. A long privacy notice may not fulfil itspurpose of informing a consumer because the consumer may beoverwhelmed and confused because it is too long. The Office’s CommunityAttitudes Survey reports international research that shows that people do notnecessarily read privacy notices, partly because they are too long andcomplex[62].

Longer privacy notices have come about partly as a result of organisations’uncertainty as to the distinction between the primary and secondary purposesof collection and their attempt to avoid ‘bundling’ consent to a number ofpurposes of collection. There are international moves to develop short formprivacy notices. There could be provision for short form notices, followed by alonger notice that includes all the information required by NPPs 1.3 and 1.5.A consumer who is satisfied with the information provided in the short formnotice need not read the longer notice, yet all the information is available tothe consumer who wants it. This may also satisfy the Openness requirementin NPP 5.

Office could assist organisations with notices

The Office is currently working towards developing a short notice for its ownpersonal information handling practices with a view to demonstrating howsuch a notice might work in a public sector agency. It acknowledges thatgetting notices right may be difficult for some organisations, especially smallerbusinesses that do not have access to extensive legal advice. Subject to theavailability of resources, the Office could play a more active role in assistingbusinesses develop their notices by developing template notices for differentsectors, in consultation with them, and by issuing examples of bothsatisfactory and unsatisfactory notices.

Office could publish guidance on bundled consent

Bundled consent is a practice that may confuse consumers and may derogatefrom their rights under the Act. It is also an issue that confuses a lot oforganisations. The Office could play a role in working with stakeholders toclarify the issue. The Office could publish guidelines about bundled consent.

Publicly available personal information

It is clear that restricting the use of publicly available personal informationfurther than has already occurred may inhibit the operations of somebusinesses and the fundraising activities of charities. However, as currentlyapplied, it is consistent with the policy underlying the Privacy Act thatinformation provided for a purpose should be used only in accordance withthat purpose.

Office could play greater educative role to raise communityawareness

Community awareness of individuals’ privacy rights and confidence in theprotection of individuals’ rights is growing slowly but is not high. The greaterthe awareness an individual has about his or her rights, the more likely he orshe will exercise control over what is done with the information. The Officecould play a significant role in raising community awareness and confidence.Business and consumer groups alike agree that this should be so. Anenhanced educative role would have resource implications for the Office.This is discussed in more detail later in this chapter.

4.2 Recommendations: Control overpersonal information

19. The Australian Government should consider amending NPP 5.1 toprovide for short form privacy notices. This could also clarify theobligations on organisations to provide notice, and to clarify the linksbetween NPP1.3 and NPP 5.1.

20. The Office will encourage the development of short form privacynotices. It will also play a more active role in assisting businessesdevelop their notices by developing template notices for differentsectors, in consultation with them, and by issuing example of bothsatisfactory and unsatisfactory notices

21. The Office will develop guidance to the effect that privacy noticesshould be dated.

22. The Office will develop guidance on bundled consent, noting thepossible tension between the desirability of short form privacy noticesand the desirability of lessening the incidence of bundled consent.

4.3 Direct marketing

What is direct marketing?

Direct marketing refers to the promotion and sale of goods and servicesdirectly to the consumer. Direct marketers promote their goods and servicesby mail, telephone, email or SMS. They compile lists of consumers and theircontact details from a wide variety of sources. These include public records,including the white pages, the electoral roll, registers of births, deaths andmarriages and land titles registers. They also include membership lists ofbusiness, professional and trade organisations, survey returns, mail orderpurchase information and so on. Organisations that have their own databaseof consumers to whom they supply goods or services, for example, telephonecompanies and other utilities, may also use their database for directmarketing. Direct marketers may also acquire databases from other directmarketers.

Law and policy

When can personal information be used for direct marketing

Direct marketing is directly addressed by NPP 2.1, which governs the use anddisclosure of personal information. NPP 2.1 distinguishes between theprimary and the secondary purposes of collecting personal information, andlimits the use and disclosure of information for a purpose other than theprimary purpose of collection.

Information collected for the purpose of direct marketing

An organisation that collects information for the primary purpose of directmarketing, whether directly from the individual who owns the information orfrom someone else, can use and disclose it for that purpose. The sameapplies if direct marketing is related to the purpose for which the informationwas collected (directly related in the case of sensitive information) and theperson from whom it was collected would reasonably expect the organisationthat collected it to use or disclose it for direct marketing.

Information not collected for the purpose of direct marketing

In some circumstances an organisation can use personal information fordirect marketing even if direct marketing was not the primary purpose ofcollection and direct marketing is unrelated to the purpose of collection andnot within the reasonable expectations of the person who owns theinformation. The organisation may use the information if:

the person from whom the information was collected has consented to theuse or disclosure of the information for direct marketing or

(if the information is not sensitive information) it is impracticable to getconsent before using the information and

the direct marketing organisation gives the individual theopportunity to opt-out of receiving material (at no cost)

the individual has not already asked the organisation not to sendmaterial

in every communication the organisation draws the individual’sattention to the fact, or prominently display a notice, that he or shemay opt-out of receiving further material and

each communication includes the relevant contact details of theorganisation (including electronic contact details if the material wassent by electronic means)[63].

Individual may not know that information has been collected forthe purpose of direct marketing

An individual whose information is collected by a direct marketing organisationfor the purpose of direct marketing may not necessarily know that this hasoccurred. The organisation may, for example, purchase a list from anotherorganisation. The purchasing organisation must then ‘take reasonable steps’to ensure the individual has been made aware of, among other things, thepurposes for which the information was collected[64].

Whether or not the individual is made aware hinges therefore on whatconstitutes reasonable steps to make him or her aware. It may be reasonableto do very little to ensure that all the people on the list are made aware thatthe list has been acquired for the purposes of direct marketing. Even whenthe information is collected from the individual directly he or she may notunderstand it is being collected for direct marketing purposes. For example,an organisation may run a competition for the primary purpose of collectinginformation; awarding prizes to successful entrants being a secondarypurpose. The individual, on the other hand, may assume that the purpose ofthe competition is to provide an opportunity to consumers to win prizes. Evenif he or she reads the fine print, an individual is unlikely to draw a distinctionbetween a primary and a secondary purpose and to understand theconsequences of the distinction.

Rationale

The provisions are intended to strike a balance between the businessinterests of organisations involved in direct marketing and the privacyinterests of consumers affected by the activity. The legislation acknowledgesthe commercial practice of direct marketing and the related activity ofacquiring personal information about individuals to enable organisations tomarket their products efficiently and effectively. It also recognises the privacyinterests of individuals who may find themselves the unwilling recipients ofdirect marketing material.

Community attitudes survey

The Office commissioned research into community attitudes towards privacyin 2001 and 2004[65]. Community Attitudes Towards Privacy 2004, reports thatconcerns about unsolicited marketing material have dropped slightly since the2001. Nevertheless, 61% of respondents feel either ‘angry and annoyed’, or‘concerned’ when they receive marketing material. While 77% of respondentsare opposed to the use of the electoral roll for marketing purposes,respondents are roughly evenly divided about the use of the White Pages(44% in favour and 46% against)[66].

Issues

The issues paper drew attention to the fact that the NPPs requireorganisations to give individuals the opportunity to opt-out of receivingmaterial when direct marketing is a secondary purpose of collection ofpersonal information but do not do so when direct marketing is the primarypurpose of collection. The issues paper suggested possible topics forsubmission, including:

the appropriateness of the opt-out provisions and NPP 2.1(c) generally

different protection that applies to information used for direct marketingaccording to the purpose for which it was collected, and whether theinconsistency raises issues for individuals or business

evidence of the incidence of complaints about the application of 2.1(c)

business practice in relation to opt-out and whether or not organisationsare providing it even when not required to do so and

how to address issues that arise in relation to privacy and direct marketingfor individuals or business.

What submissions say – the issues

Overview

Most submissions that address this issue focus on whether consumers shouldbe able:

to opt-in to direct marketing by an organisation, that is, be given theopportunity to elect to receive material, or not, before it is sent or

to opt-out, that is, that, on receipt of the first (or a subsequent)communication, be given the opportunity to say they do not want toreceive further material.

Consumers

In the view of the Consumer Credit Legal Centre (NSW) Inc (62) and theConsumers’ Federation of Australia (65), the direct marketing provisions ofthe Privacy Act favour the interests of business over those of consumers. Theprovisions start with the assumption that personal information can be used fordirect marketing. Their submissions favour opt-in because it gives consumerssome control over the use or disclosure of their personal information.

The Australian Consumers’ Association (15) points out that the corollary of notneeding to seek consent (when the personal information has been collectedfor the purpose of direct marketing, whether directly or from a third party) isthat the consumer has no capacity to withdraw consent. It nominates as auseful guide to contemporary thinking the eMarketing Code of Practice[67]. Italso suggests that it would be better to adopt the approach of the Spam Actand to refer to ‘commercial messaging’, which is wider than the traditionaldirect marketing and avoids boundary issues about what marketing is directand what is not.

Electronic Frontiers Australia Inc (51) notes that the direct marketingprovisions of the Privacy Act are inconsistent with the Spam Act, whichrequires consent. (The Spam Act on the other hand exempts some sendersfrom the requirement to provide a means of opting out.)

Finally, the Australian Privacy Foundation (90) makes the point that if NPP 2is working well, then NPP 2.1(c) adds nothing but confusion.

Business

Submissions from businesses and business organisations strongly favour opt-outthat is, that it is sufficient that organisations give consumers anopportunity to opt-out of any further communication. Compvice Pty Ltd (48), asmall business providing voice broadcast services says:

‘Most people do want to receive telemarketing and marketing material.I see this every day. I have developed a simple way for people to opt-outof our voice broadcast campaign pushing the number 9 on theirphone. . . We have made 10 000s of calls using this system and foundon average less than 5% of people opt-out’.

It goes on to say that the problem is that there is no simple and effective wayfor this 5% of people to opt-out of all marketing lists and that there is no ‘DoNot Contact’ list apart from ADMA’s, which is ‘too expensive for some smallbusinesses to access.’

Opt-out works well for business

Submissions from business agree that opt-out works well. Suncorp-MetwayLtd (35), for example, provides its customers with an opportunity to opt-outfrom direct marketing when it collects personal information in the first place. Ithas had no complaints. ANZ (40) says opt-out is working well – 5% of itscustomers opt-out. The Australian Bankers Association (70) says there is alow opt-out rate across the industry (less than 10%) and that most customerswant direct marketing material.

Coles Myer (60) also says that opt-out is working well. It maintains an opt-outregister and regularly washes its direct marketing list against its own registerand against the ADMA register. It has more complaints from people notreceiving marketing material than it has complaints about junk mail. This isconsistent with the experience of Optus (98). It accepts all opt-out requests,has very few complaints and reports that customers want its marketingmaterial.

Economic considerations

A number of submissions address the economic implications of changing thelaw to require opt-in instead of opt-out. Telstra Corporation Ltd (110) saysthat amending NPP 2.1(c) would result in additional compliance costs thatwould be unwarranted and not required.

Other submissions look at the broader consequences of change. The MailingHouse (79) points out that the direct marketing industry is a major contributorto the economic health of Australia. It says that any change impeding it:

‘would have a serious effect upon the health of this sector andaccordingly the financial wellbeing of The Mailing House and the 50 orso families who rely on its financial strength and success to establishand provide their households, educate their children, and provide allthe other essentials and luxuries that help make a strong Australianeconomy’.

Credit Union Services Corporation (CUSCAL) (64) considers the competitionimplications of any change which, it says, would favour its larger competitorsin particular, the major banks.

Charitable organisations

Submissions from several charitable organisations express concern about thepossibility of a change to opt-in. The Royal Institute for Deaf and BlindChildren (24) says that direct marketing is the most effective way ofcommunicating to the public.

The Cerebral Palsy League of Queensland (44) says that opt-in would resultin a loss of income and a loss of employment.

The Fundraising Institute (52) does not support changes to NPP 2.1(c)because, in its view, the provision provides adequate and appropriate opt-outoptions for individuals

A participant in one of the stakeholder forums said that to take away the abilityof charitable organisations to market directly would impose a significantburden on the community as services provided by charities would be unableto continue.

ADMA submission

In its submission, which is supported by a number of organisations[68], theAustralian Direct Marketing Association (ADMA) (67) states that the mostimportant aspect for an individual when providing personal information to anorganisation is to understand how the organisation is going to use it. This isbased on ADMA’s own research.

It acknowledges that where an organisation indirectly collects data for theprimary purpose of direct marketing the individual may, in some instances,lose control of their personal data. It would support a recommendation thatorganisations indirectly collecting information for unsolicited direct marketpurposes be obliged to ensure that at the time of collection or as soon aspossible after collection (that is, at the first marketing approach) the individualis given an opportunity to opt-out of further direct marketing.

ADMA goes on to say that 80% of respondents to its research are comfortablewith organisations collecting and using personal information for directmarketing purposes if, within the first marketing communications and at anytime subsequently, they are given an opportunity to opt-out of futurecommunications.

ADMA reports that 68% of respondents to its research would be comfortablewith giving organisations their details for direct marketing purposes if they hada right, at any time, to ask the company to stop using it for direct marketingpurposes. ADMA says it is standard practice for its member organisations tocomply with any request received by an individual not to receive furthermarketing approaches, even when not required to do so by law.

What submissions say – addressing the issues

General right to opt-out

As discussed above, consumer groups favour opt-in as the general rule andbusinesses and charities opt-out. In its submission, ADMA states that it wouldsupport a recommendation that:

the individual should have a general right, at any time, to opt-out of futuredirect marketing approaches and

the organisation should be obliged to comply with the request within 45days of receipt.

This is consistent with the Privacy Commissioner’s submission to the SenateLegal and Constitutional Legislation Committee Inquiry into the Provisions ofthe Privacy Amendment (Private Sector) Bill 2000. The submission arguedthat all organisations using personal information for direct marketing shouldbe required to give the individual the express opportunity at the time of firstcontact to express a wish not to receive any further direct marketingcommunications. This could possibly be qualified where the use is within thereasonable expectations of the individual or consistent with the ongoingbusiness relationship of the direct marketer and individual. It would overcomethe current distinction in the NPPs between personal information collected forthe primary purpose of direct marketing from a third party and personalinformation and personal information used for the secondary purpose of directmarketing. As long as the process for opting out was not difficult and therequest acted on promptly, this would give individuals a degree of control.

On the other hand, the proposal does not go beyond what ADMA says is thecurrent practice. In the view of the Australian Privacy Foundation (APF) (90),a simple across the board requirement to offer an opt-out with everycommunication is justified by the level of irritation with direct marketing andgeneral lack of awareness and understanding of marketing methods. It goeson to say:

‘This should not be taken as surrendering our position in relation to apositive consent requirement (opt-in) for direct marketing which isoutside the reasonable expectations of individuals when theirinformation was collected’.

APF says opt-in should apply to direct marketing which is outside thereasonable expectations of individuals when their information was collected.In addition, the APF supports national ‘do not market’ registers.

Consent

In the view of Electronic Frontiers Australia Inc (51), a general right to opt-outof future communications is not enough. It says that the NPP2.1(c) exceptionpermitting secondary use of personal information for direct marketing withoutconsent is inconsistent with the recently enacted Spam Act and is totallyunacceptable and must be amended. It says personal information should onlybe used for marketing purposes with explicit consent, not by default.

Other submissions refer to the Spam Act, which requires an individual’sconsent to the use of personal information for the purpose of direct marketing.The Australian Communications Authority (94) says that an opt-out regimewas found to be unworkable in relation to the sending of commercialelectronic messages. The Law Council of Australia (36) recommends thatconsideration be given to harmonising the direct marketing provisions of theNPPs with the Spam Act.

In Canada, a note to Principle 4.3 of the Personal Information Protection andElectronic Documents Act 2000, dealing with consent, acknowledges thatseeking consent may be impractical for a charity or direct marketing firm thatwants to buy a mailing list from another organisation. It says that, in suchcases, the organisation providing the list would be expected to obtain consentbefore disclosing personal information.

More effective ‘Do Not Contact’ registers

Some submissions refer to ‘Do Not Contact’ registers. ADMA maintains sucha register. Individuals may register their name on a Do Not Contact list inrelation to mail, telephone, direct response television, the internet and mobilephones. ADMA members and other organisations can wash their lists againstthe ADMA list.

However, it is not an absolute and universal ‘Do Not Contact’ list as not alldirect marketers are ADMA members, and likewise some businesses may notmake the commercial decision to access the names on the list. In additionsome small businesses may not be able to afford to use it. Compvice Pty Ltd(48) says there needs to be a cheaper way to access the register.

The Australian Privacy Foundation (90) and Sensis (84) favour ‘Do NotContact’ registers. In Sensis’ view, the introduction of a national ‘Do NotContact’ register, could improve privacy protection for individuals.

Inform individuals where information came from

In its submission, ADMA says its experience is that informing individuals ofthe source of the data being used gives them more control over their personalinformation and reduces the number of repeat complaints about unsolicitedmarketing. It goes on to say:

‘Although ADMA would support a recommendation that NPP 5.2 beamended to require an organisation, on the request from an individual,to inform the individual where the data was sourced, there is a concernthat many small organisations, in particular charities, do not currentlyhave the technical capability to comply with such a requirement’.

That being said, ADMA believes the issue is of sufficient importance thatorganisations should be taking appropriate steps to ensure this requirementcan be met. As it is clear that some organisations will need time to makenecessary adjustments, ADMA recommends that the requirement to disclosethe source of data on request be introduced initially as a best practiceguideline with the understanding that, after a period of 18-24 months, therequirement will become mandatory through either a Code rule or legislativeamendment.

Few written submissions address this issue. In stakeholder forums, there wasconsiderable support for the idea. In Adelaide, for example, a number ofpeople were in favour of introducing a requirement for direct marketers to tellpeople from whom they got an individual’s personal information. Participantsrepresenting charitable organisations argued that to do so would be too costlyand difficult for many charities to implement.

Options for reform

General right to opt-out

It appears that most organisations give consumers a right to opt-out of futuredirect marketing approaches whether or not direct marketing is a secondarypurpose of collection. This gives consumers a degree of control over the useof their personal information they would not otherwise have. It may not addunduly to compliance costs if organisations are required to give all consumersthe right to opt-out of future direct marketing at any time and to comply withthe request within a specified timeframe.

No direct marketing without consent

A more stringent requirement would be to require direct marketingorganisations to acquire the individual’s consent before using his or herpersonal information for the purpose of direct marketing. The Spam Actprovides a precedent for this. On the other hand, requiring consent wouldincrease costs for business and for charities that are dependent on directmarketing to raise funds.

Require organisations to tell individuals where their personalinformation came from

One of the aspects of unsolicited direct marketing that appears particularly toirritate consumers is that the direct marketer has acquired his or her personalinformation without the individual’s knowledge or consent. The directmarketer is under no obligation to inform an individual where it acquired thepersonal information. If it were, the individual could then complain to theorganisation that had released the information and, if appropriate, make aformal complaint to the Office. Organisations could be required to tellindividuals, on request, the source of their personal information. Theorganisation would have to tell the individual only where it got the informationfrom, not the original source.

Establish a ‘Do Not Contact’ register

ADMA maintains a ‘Do Not Contact’ register for the use of its members andother organisations. Its existence could be more widely known in thecommunity. Membership of ADMA and the cost of accessing the register on aregular basis may be beyond the resources of some small businesses. A wellpublicised national register may reduce the level of unwelcome directmarketing. There are precedents in the United States (where 62 millionphone numbers were registered in the first year of operation) and the UnitedKingdom. Different models exist which may exempt certain organisations.

4.4 Recommendations: Direct marketing

23. The Australian Government should consider amending the Privacy Actto provide that consumers have a general right to opt-out of directmarketing approaches at any time. Organisations should be requiredto comply with the request within a specified time after receiving therequest.

24. The Australian Government should consider amending the Privacy Actto require organisations to take reasonable steps, on request, to advisean individual where it acquired the individual’s personal information.

25. The Australian Government should consider exploring options forestablishing a national ‘Do Not Contact’ register.

4.5 Awareness of, confidence in andcapacity to exercise rights

Law and policy

One of the objects of the private sector provisions is to establish a scheme forthe handling of personal information that recognises individuals’ interests inprotecting their privacy. The provisions recognise those interests by:

requiring organisations, where reasonable, to give an individualinformation about their information handling practices so he or she canmake a decision about whether or not to give their personal information

requiring organisations to get an individual’s consent to collect or disclosein certain circumstances

giving individuals the right to access information a business holds aboutthem and

enabling individuals to complain to the Office if a business does notcomply with the NPPs.

The provisions aimed to ensure that ‘Australians can be confident thatinformation held about them by private sector organisations will be stored,used and disclosed in a fair and appropriate way’[69].

Issues

The issues paper suggested a number of topics for submissions related toindividuals’ capacity to exercise their right to privacy. It asked about:

evidence of levels of awareness and the impact of this on the operation ofthe private sector provisions

effectiveness of the information provision requirements in raisingawareness, how to improve privacy notices and how to improveawareness generally

evidence of levels of community confidence that privacy rights areprotected and ways to encourage confidence, in particular confidence thatprivacy is protected online and

information about the extent of individuals’ ability to exercise their rightsand how to improve it, and the impact of the Office’s approach to handlingcomplaints.

Role of the Office

The Office plays an active role in raising awareness about individuals’ privacyrights and in addressing their concerns about possible interference with theirrights. It provides information by way of its information hotline and its website. The web site contains all the Office’s publications, answers to FrequentlyAsked Questions, media comments, media releases, speeches, case notes,an online complaint checker, multi-lingual web pages, guidelines, informationsheets, brochures and the annual report.

To the extent that the Office’s activities in raising awareness are successful,community confidence that individuals’ rights are protected is likely to beincreased. If an individual’s privacy rights are interfered with and he or shecannot resolve the issue with the organisation concerned, the Office willinvestigate the complaint, conciliate it, if appropriate, or make a determination.

Role of organisations

Organisations also play a role in raising awareness and in addressing theconcerns of individuals who fear their privacy may have been breached.Organisations collecting personal information are required to take reasonablesteps to provide NPP 1.3 or 1.5 notices and must have a privacy policyavailable to anyone who asks for it (NPP 5). This kind of information may alsoincrease confidence that individuals’ rights are protected. In the event of abreach of privacy, the individual’s first port of call to resolve it is theorganisation.

Community awareness survey

Awareness of rights

Community awareness was one of the issues canvassed by the research intocommunity attitudes towards privacy commissioned by the Office in 2001 and2004.[70]In general terms, it showed levels of awareness were low, althoughhigher in 2004 than in 2001. Only about one in four respondents claimed toknow an adequate amount or more about privacy. The number ofrespondents who were aware that federal privacy laws existed, however,increased from 43% in 2001 to 60% in 2004.

The research showed that 53% of respondents know that governmentagencies are covered by privacy law; 56% know that banks, insurers andother financial institutions are covered; and 47% that there are somerestrictions on charities, private schools and hospitals and other non-government organisations.

Confidence rights are protected

The research showed differing levels of confidence that rights are protecteddepending on the industry. Health service providers have the highest levelsof trust (89%), followed by financial organisations (66%), governmentorganisations (64%), charities (54%), retailers (39%), market researchorganisations (35%), real estate agents (26%) and mail order companies.

Only 9% of respondents trust internet companies, which were intendedparticularly to benefit from the introduction of the private sector provisions.

Individuals’ ability to exercise their rights

The research showed that 34% of respondents were aware that the FederalPrivacy Commissioner existed. (In 2001, 36% were aware.) However, 29% ofrespondents said they did not know to whom they would report the misuse oftheir personal information. Of the rest, only 7% mentioned the FederalPrivacy Commissioner, the others mentioning a number of differentorganisations.

Demographic information about complainants

As noted in the issues paper the Office had not previously collecteddemographic information about complainants. To identify which sections ofthe community were making privacy complaints to the Office, the Officeconducted a three month complainant demographic survey from December2004 to February 2005.

The Office received a very small response to the survey – 36 responses fromover 250 surveys sent. The response rate is too small to rely on as anaccurate representation of total complainants, however the Office was able toextract information from its complaint management software that suggests, atleast in respect of gender, the survey results may be representational. Thefigures suggest that it could be the case that the demographic profile ofcomplainants to the Office is not representative of the wider community.

The results of the survey are described in Appendix 13. The Office willcontinue to collect complainant demographic information.

Multicultural Tasmania (4), while commending the Office on havingmultilingual pages on its website, recommends the Office think about othersways to distribute privacy information to people from diverse languagebackgrounds.

What submissions say - issues

Awareness

Most submissions that address this issue believe that community awarenessof individuals’ privacy rights is not high[71]. In the view of the Australian DirectMarketing Association (ADMA) (67), community awareness of rights isimportant and is fundamental to the effective operation of the private sectorprovisions and the NPPs.

Business SA (92) says there is a widespread lack of understanding of privacyprovisions in the community and a significant burden on the private sector toeducate the general community about their privacy rights and responsibilities.The Australian Medical Association (29), for example, says that patients stillcomplain to it about possible breaches of privacy.

The Australian Consumers’ Association (15) narrows the issue. It argues thatthe critical issue is that the consumer is aware of his or her rights when itmatters, that is, when he or she has a problem, not at the time of signing up tothe service. Lack of awareness goes beyond awareness of consumer rights.

The Australian Compliance Institute (16) says that the obligations imposed onbusiness by privacy laws may undermine consumer expectations. Forexample, a person may believe he or she is entitled to information about aspouse’s insurance or bank accounts and may not understand why theorganisation will not give it to them.

In some areas, however, submissions express a belief that there is asatisfactory level of awareness. The Australian Finance Conference (63) saysthat in the finance sector, for example, customers are aware of their privacyrights but few exercise them. The Royal District Nursing Service (78) believesits clients are sufficiently aware, except perhaps for its elderly clients. SensisPty Ltd (84) believes there is a reasonable level of understanding in thecommunity about its activities.

Participants in stakeholder forums had a lot to say about lack of awareness.One participant, for example, said that people are unaware of their rights andare ‘mystified by multiple jurisdictions.’ Further, they do not understand thedifferences between policies, procedures and legislation. Another said theremust be more awareness raising for the NPPs to work and a better injection ofthe issues into the culture and that this has to be done by the federalgovernment as the smaller states and territories do not have the money.Some participants asked if the Office was adequately resourced to do what itwas supposed to do in raising awareness.

Confidence

Not many submissions address the issue of community confidence in theprotection of rights. The Investment and Financial Services Association(ISFA) (89), a body representing the superannuation, investmentmanagement and life insurance industries, states that low level of complaintsreceived by its members, compared to the very large level of transactions,suggests that the community is satisfied with the level of protection providedby its members. The Australian Association of Permanent Building Societies(91) says that public confidence that privacy rights are protected has beensubstantially increased as a result of the implementation of the private sectorprovisions.

The Australian Consumers’ Association (15), however, links confidence thatan individual’s rights will be protected with the speed and effectiveness of theremedy and expresses concern with the delays and queues that characterisethe Office’s complaints handling. Electronic Frontiers Australia (51) goesfurther in relation to the protection of rights online. Referring to the finding ofthe Office’s community attitudes survey that individuals trust internetcompanies less than any other sector, it says that:

‘any attempt . . . to encourage the community to believe that theirprivacy “rights” are protected online would be highly misleading at best. . . Individuals have almost no privacy “rights” in the onlineenvironment and even the few rights they allegedly have are notprotected adequately and are difficult, sometimes impossible, to haveenforced’.

The submission then goes on to report some collection and disclosurepractices of some internet companies. Optus (98), on the other hand, saysthat the community attitudes survey indicates that a significant proportion ofpeople do not have confidence in companies that do business online, ratherthan companies that provide internet services.

What submissions say – addressing the issues

Public awareness campaigns

A number of submissions suggest that there should be a campaign toincrease awareness about individual privacy rights. Business and consumersalike suggest the Office is the body best placed to conduct public awarenesscampaigns and that it should be adequately resourced to do so. AcxiomAustralia (71) says that what is needed now is a far-reaching educationprogram about rights and responsibilities under the existing law. Morespecifically, the Salvation Army (74) says that the Commissioner should givespecial attention to providing information and education and support to socialwelfare groups.

Telstra (110) suggests the Office should take steps to lift its profile and shouldoffer regular community education about its own role and the steps individualscan take to protect their privacy. On the other hand, Optus (98) suggests thecampaign should be targeted to sectors of the community who have not yetbecome aware of privacy regulations.

In the view of the Australian Compliance Institute (16), the campaign shouldfocus not only on consumer rights but should also educate consumers aboutbusiness responsibilities. In the context of health, says Australian Federationof AIDS Organisations Inc (54), plain English guides explaining all relevantlegislation, not just the Privacy Act, are needed.

Change privacy notices

Some submissions link community awareness of rights and improved privacynotices. Australia Post (109), for example, notes that obligations imposed onit and other organisations by NPP 5 have had a positive effect of creatingprivacy awareness in the community. It suggests that the content, structureand placement of NPP 1.3 notices should be standardised. Privacy noticeswere discussed earlier in this chapter (4.1).

Office should improve community confidence

Submissions generally look to the Office to take action to improve communityconfidence that rights are protected. The Fundraising Institute (52) suggestsa number of things the Office could do, including both promotional andcompliance actions. The promotional actions include:

undertaking strategic marketing to raise community awareness

authorising the use of a logo indicating commitment on the part of theorganisation to good practice and

encouraging organisations to develop and promote standards of practice.

ADMA (67) says that with its limited resources, the Office needs to developstrategies that seek partnerships with business to encourage communityconfidence that privacy rights are protected.

The Australian Consumers’ Association (15) says that one of the ways theOffice can encourage community confidence that privacy rights are protectedis by more vigorous and apparent enforcement action. The Consumers’Federation of Australia (65) agrees. It also suggests ways in whichorganisations can encourage community confidence.

Encouraging individuals to exercise their rights

The AMA (29) suggests that it would be helpful if the Office kept statistics ofcomplaints against doctors to identify where the medical profession is notcomplying (to assist in developing education programs for doctors) and wherecomplaints are unfounded (to inform community awareness campaigns).

Resources and educative role

Some submissions explicitly suggest that the Office should be betterresourced to fulfil it educative role. ADMA (67), for example, says that theeducation aspect of the Office’s role needs to be more adequately andsuitably funded, and until this is so the effectiveness of the NPPs in protectingpersonal information will be compromised.

Baycorp Advantage (86) supports an increase in resources to the regulator tosupport its functions. Finally, the Association of Market ResearchOrganisations and the Australian Market and Social Research Society (61)says that the Office should be resourced to assure the public that the lawprotects their privacy and that the Office should raise the public’s confidencein what is a good system that is in place to protect their privacy.

Options for reform

Community education and awareness programs could bedeveloped

The scheme established by the private sector provisions of the Privacy Act iscomplaints based, that is, the Privacy Commissioner primarily acts only inresponse to a complaint made by an individual. Individuals’ awareness oftheir privacy rights and how to exercise them, and individuals’ confidence thattheir rights will be upheld, is critical to the integrity of the scheme. Consumerorganisations and business alike acknowledge the importance of communityawareness of privacy rights and confidence they are protected. Businessesaround Australia have invested considerable resources into ensuring they areprivacy compliant and are calling for improved community awareness. TheOffice could form partnerships with community organisations to developeducation programs to raise community awareness about privacy, individualprivacy rights and enforcement of rights.

The Office could undertake the program

The functions of the Privacy Commissioner include, among other things:

‘for the purpose of promoting the protection of individual privacy, toundertake educational programs on the Commissioner’s own behalf orin co-operation with other persons or authorities acting on behalf of theCommissioner’[72].

The Office of the Privacy Commissioner is best placed to undertake aneducation program to raise community awareness of privacy and privacyrights. Submissions support this view.

Specifically funded program

The Office would need specific funding to allow it to engage in such aprogram. Business and consumer organisations have both called for moreresources for the Office for this purpose[73]. The Government could considerfunding the Office to undertake a systematic and comprehensive educationprogram to raise community awareness of privacy and privacy rights. This willbenefit both consumers and business, which will no longer have to use itsresources to explain to consumers why it cannot release personal information.

Office to develop promotional strategies

One way to promote awareness of privacy, and good privacy practice wouldbe to authorise the use of a logo to indicate an organisation’s commitment togood privacy practice. Submissions did not, however, reveal particularinterest in it and there is as yet no demand from consumers. Any logoscheme would need to have mechanisms to handle potential breaches of thePrivacy Act by logo users. This may have implications for the role of the Officein any logo scheme, particularly in the context of its statutory complaintshandling function.

Remove barriers preventing the making of privacy complaints

The complainant demographic survey undertaken by the Office, althoughsomewhat unreliable given the low response rate, suggests that there may bebarriers that are preventing certain groups within the community from makingprivacy complaints to the Office. The Office could take steps to ascertain ifthere are barriers, for example language barriers, preventing individuals fromknowing about and exercising their privacy rights. The Office could then seekto implement initiatives that would remove these barriers.

4.6 Recommendations: Consumereducation

26. The Australian Government should consider specifically funding theOffice to undertake a systematic and comprehensive educationprogram to raise community awareness of privacy rights andobligations.

27. The Office will continue to collect demographic information aboutcomplainants. It will seek to identify and then remove any barriers thatprevent sectors of the community from knowing about and exercisingtheir privacy rights.

4.7 Access generally

Law and policy

Introducing the private sector provisions, the then Attorney-General said:

‘It is a fundamental principle of fair information handling that individualsbe able to access and correct information about themselves’[74].

Subject to specified exceptions, an individual has a right to access personalinformation an organisation holds about him or her. If one of the exceptionsapply, the organisation must, if reasonable, consider using mutually agreedintermediaries. If the individual establishes that the information is notaccurate, complete and up-to-date, the organisation must take reasonablesteps to correct the information so that it is. An organisation may charge forproviding access (but not to lodge a request for access) but the charges mustnot be excessive (NPP 6).

NPP 6 applies to health information as well as other personal information,supporting ‘what is already good practice among many health professionals’[75].

An organisation may withhold access to health information when ‘providingaccess would pose a serious threat to the life or health of any individual’[76].

Issues

The Office receives a number of complaints about failure to provide access,especially in the health area[77]. The issues paper suggested possible topicsfor submissions:

individuals’ experiences in seeking access to personal information anorganisation holds about them

business experiences in giving individuals access to personal informationand

whether measures are needed to address any issues arising forindividuals or business in giving or gaining access to personal information.

What submissions say - issues

Overview

Most of the submissions that discuss individuals’ access to their personalinformation are concerned with health information and/or the costs of accesseither for individuals or for organisations providing it. Some submissionsdiscuss access to personal information in the context of retail, tenancy,insurance and telecommunications.

Health information

Several submissions express concern that giving patients access to theirmedical records, especially when there are mental health issues involved,may cause harm. The Australian Medical Association Ltd (AMA) (29), forexample, supports a person’s right to access information held about them butstates that there are occasions when that access can cause harm to thepatient or interfere with the therapeutic relationship. The exception inNPP 6.1(b), that providing access would pose a serious threat to the life orhealth of any individual, sets too high a threshold to overcome the harm thatmight occur to a doctor-patient relationship or the patient.

Furthermore, says the AMA, NPP 6 does not protect a doctor’s private orpreliminary views in the thinking processes required for assessment,diagnosis and formulation of a treatment program. This is of particularconcern for psychiatrists who take down facts as described, which may ormay not be true, and record their own reactions, which may include anadverse reaction to the patient. In the AMA’s view, it is not appropriate that apatient have access to such notes; even if not life threatening, it can causedisruption to the therapeutic relationship.

Other submissions agree with the AMA’s views. The Mental Health PrivacyCoalition (58) would want to ‘white out’ the practitioner’s private thoughts if apatient sought access. Similarly, members of the Australian PsychologicalSociety (103) believe clients may misinterpret what is written.

Life insurance providers have a particular concern. They assess anapplicant’s risk on the basis of medical reports but have no knowledge of whatthe health professional who wrote the report has told the client or whether theclient’s life, health or safety might be at risk if they receive the informationdirectly from the insurer[78].

On the other hand, the AMA (29) says there is not enough account taken ofthe need of a carer to know information about the person for whom they areresponsible.

Finally, a confidential submission says consumers are often confused aboutaccess when there is an Advanced Health Directive or a Power of Attorney inplace, or when seeking access to the records of a deceased person.

Health information – use of intermediaries

Some submissions state that the obligation in NPP 6.3 to ‘consider’ the use ofan intermediary is not strong enough. Privacy Law Consulting Australia (66),for example, says:

‘this principle is effectively meaningless as the requirement to‘consider’ the use of a mutually agreed intermediary does not place anyobligation on an organisation other than to ‘turn its mind’ to providingaccess through an intermediary’[79].

Furthermore, the principle does not state what should happen if the partiescannot agree on an intermediary.

Health information – fees

Submissions show a variety of views about the level of fees charged foraccess to health information.

The Private Health Insurance Ombudsman (10) has received complaintsabout unreasonable fees charged by a medical practice for access. On theother hand, the Royal District Nursing Service (78) is often left out of pocketwhen responding to a request for access to information, particularly when therecords are no longer on site. In its view the maximum fee allowed under theVictorian Health Records Act is too low. Because the Privacy Act does notinclude a schedule of fees, a confidential submission says a wide variety offees are charged giving rise to enquiries from consumers.

Finally, the Australian Physiotherapy Association (APA) (37) says that lawyersoften ask for records for use in legal proceedings even though, written for theexpress purpose of providing treatment, they are unsuitable for use in court.The APA speculates that, as some state legislation caps the amount apractice can charge, ‘some lawyers request records in order to avoid payingreasonable costs for a medico-legal report’. Further, it contends that:

‘some legal firms in Victoria and the ACT are abusing this loop-holeand requesting records under privacy legislation so as to shiftexpenses to the physiotherapist’.

Access to other records

The experience of the Tenants’ Union (ACT) (87) is that it remains verydifficult for private housing tenants to access tenant files held by real estateagents, unlike public housing tenants who can use freedom of informationlegislation. On the other hand, a large retailer, Coles Myer Ltd (60) has hadvery few requests for access, fewer than 10 since the Act commenced.

Similarly, member organisations of the Australian Direct MarketingAssociation (ADMA) (67) have received very few requests for access topersonal information. Some submissions, including, for example, ClubsAustralia and New Zealand (75) express concern about the costs of providingaccess. Vodafone Australia Ltd (112) states that it is important to be able toimplement cost recovery mechanisms for access to personal information.

What submissions say – addressing the issues

Considering the therapeutic relationship

Submissions suggest a number of ways to address these issues. Somesubmissions from health care organisations consider circumstances whenaccess should not be given. The Australian Medical Association Ltd (AMA)29 expresses concern that, in the health care context, there are occasionswhen access to records could cause harm to the patient or interfere with thetherapeutic relationship. The Mental Health Privacy Coalition (58) alsosuggests that the Privacy Act should be clarified to indicate that the threat ofdestruction to a therapeutic relationship is a serious risk.

Other aspects of access to medical records

Submissions address other aspects of access to medical records. The AMA(29) says that it is necessary to disclose information about the patient’songoing care when he or she is discharged from hospital to the patient’scarer, whether or not the patient consents.

The Investment and Financial Services Association (89) says that insurerswant to be able to give information to a patient not directly but via the healthprofessional who supplied the information in the first place, or to the patient’sGP, without having to rely on the NPP 6.1 exception, as is possible under theHealth Records and Privacy Information Act 2002 (NSW)

Finally a confidential submission says the Office should issue a fact sheetabout access to patients’ health records when there is an Advanced HealthDirective or and Enduring Power of Attorney in place.

Use of intermediaries

In the view of Privacy Law Consulting Australia (66), NPP 6.3 which providesfor consideration of the use of an intermediary when access is denied shouldbe removed altogether or else amended to impose obligations on both theorganisation and the individual.

Fees for access

As discussed above, a number of submissions consider the fees payable foraccess to health information. A confidential submission says that the PrivacyAct should set a maximum fee for access that is realistic.

The Australian Privacy Foundation (AFP) (90), on the other hand, is happywith the NPP 6.4 provision that charges for access must not be excessive. Itsconcern is that the Office considers reasonable what the AFP considersmanifestly excessive and recommends that the provision is amended to makeaccess free or to set a reasonable cap.

Consumer perspective

The Australian Privacy Foundation (90) makes a number of suggestions forchange from the point of view of consumers. These suggestions are:

NPP 6 should expressly require organisations to give access to as muchinformation as possible even when an exception applies to someinformation.

An organisation that denies access on the basis of one of the exemptionsshould be required to provide intermediary access (not merely be requiredto consider it). NPP 6 should provide for the Privacy Commissioner toinspect a record on a person’s behalf where access is denied under anexception, and to seek corrections.

There should be a requirement to consult with third party individualswhose information would be disclosed in response to an access request.

There should be a prohibition on an organisation requiring an individual toexercise their access rights with a second organisation and then providingthe first organisation with the information.

An individual should not have to ‘establish’ that personal information is notaccurate, complete and up-to-date under NPP 6.5; it should be enough forthem to have reasonable grounds to believe there is a potentialinaccuracy.

Finally, where personal information is corrected in response to a requestunder NPP 6.5, there should be an obligation to notify any third partieswho are known to have received the information that was not accurate,complete or up-to-date, as exists, ‘where appropriate’ or ‘wherepracticable’ in legislation in other jurisdictions.

Options for reform

Address concerns about access and the threat to thetherapeutic relationship

There are a number of possible ways of addressing these concerns, includingfurther limiting the circumstances in which access might be granted andproviding guidance on the existing law. There is no doubt that there arecircumstances when access to records may cause a breakdown in atherapeutic relationship and that the breakdown in the therapeutic relationshipmay constitute a serious risk to the patient’s health. However, this does notjustify changing the law. Rather, it indicates that there are good reasons foraddressing the uncertainties through guidance.

Similarly, the issue of the privacy of the therapist’s personal views may bebest addressed through guidance. The NPPs allow an organisation to denyaccess where it would have an unreasonable impact on the privacy ofsomeone else[80]. This could include a therapist’s views.

Notify others of corrections made to personal information

When inaccurate information has been passed on to others, it is of littlecomfort that it has been corrected at source but not elsewhere. When anindividual’s personal information is corrected in response to a request fromthe individual, the organisation, where practicable, could be obliged to notifythird parties that they have received the inaccurate information.

Use of intermediaries

NPP 6.3 provides that an organisation must, ‘if reasonable, consider’ the useof an intermediary where it has refused access on the grounds of one of theexceptions to access in NPP 6.1. The right is a very limited one. There is astronger right to the use of an intermediary under the proposed NationalHealth Privacy Code. An intermediary, a nominated health service provider,may, among other things, consider the validity of the refusal and, if he or shethinks it appropriate to do so, discuss the content of the health informationwith the individual. The relevant provisions are prescriptive and detailed andare not suitable for inclusion in the NPPs. The NPPs could, however, includea similar right. Alternatively, if the AHMAC code becomes a schedule to thePrivacy Act[81], the matter will be dealt with by that means.

Set fees for access

There is a significant difference in the cost of providing access to records,depending on a number of variables, including whether the records are on siteor not, the number of pages involved and the amount of scrutiny necessary. Itis not therefore appropriate to set a single fee for access. What may besuitable in one case may be wildly unsuitable in another.

It may be appropriate for the Office to offer some guidance as to what it thinksis appropriate. Alternatively, the Australian Government could introduce atable of recommended fees in a schedule to the Privacy Act. And, if theAHMAC code becomes a schedule to the Privacy Act[82], the matter may bedealt with by that means.

Office could give guidance re ‘able to establish’ in NPP 6.5

NPP 6.5 requires than an individual ‘establish’ that information is not accuratebefore the organisation needs to take reasonable steps to correct it. This maybe an unduly high standard. It is also unclear. The Office should provideguidance about ‘able to establish’ in NPP 6.5.

4.8 Recommendations: Access generally

28. The Australian Government should consider amending NPP 6 toprovide that when an individual’s personal information is corrected inresponse to a request from the individual, the organisation should beobliged to notify third parties, where practicable, that they havereceived the inaccurate information.

29. The Australian Government should consider adopting the AustralianHealth Ministers’ Advisory Council (AHMAC) Code as a schedule to thePrivacy Act (see also recommendations 13, 33 and 35). This willaddress the issue of intermediaries, and the issue of fees for access.

30. The Office will develop further guidance on the operation of NPP 6.1 on‘serious threat to life or health’, explaining that a serious threat to atherapeutic relationship could be a serious threat to a person’s health.This will go some way towards addressing what appears to be a toonarrow interpretation of NPP 6.1(b) by some practitioners.

31. The Office will develop guidance on fees for access to personalinformation.

32. The Office will develop guidance on the meaning of NPP 6.5 whichrequires than an individual ‘establish’ that information is not accuratebefore the organisation need to take reasonable steps to correct it.

4.9 Transfer of health records to anotherhealth service provider

Law and policy

The NPPs do not create specific obligations regarding the transfer of medicalrecords in circumstances where an individual changes from one healthservice provider to another. In some circumstances, individuals and theirproviders will simply agree for the records (or copies of them) to betransferred to the new provider. If necessary, an individual may exercise theirgeneral access right (under NPP 6) to their health information. If they obtain acopy of their record they can take this to their new provider. However, there isno specific obligation in the Privacy Act requiring a provider to transfer amedical record in full to another provider.

Other regulation may require health providers to do certain things. Forexample, the Victorian Health Records Act 2001 requires that if an individualasks, then a health service provider must provide ‘a copy or written summaryof the individual’s health information’ to another provider. Furthermore, someprofessional bodies have noted that in line with good clinical practice andrelevant codes of ethics, health service providers should ensure that anindividual’s new provider receives adequate information to provide treatment.

What submissions say

This issue did not figure prominently in submissions. However, duringconsultations it was suggested that while this issue is significant, it may bebetter addressed at the state and territory level, rather than at the AustralianGovernment level. A reason for taking this approach is that health serviceproviders are registered at the state or territory level, usually by registrationboards or similar bodies created under state legislation.

Moreover, the management and handling of patient records generally formspart of a health service providers professional responsibilities for which theyare registered. This could be a more appropriate mechanism for setting out,and addressing as necessary, health services providers obligations in thisarea.

Options for reform

Amend the NPPs – add additional principle

This principle would state that health service providers would have expressobligations to transfer medical records, or copies of them, to a differentprovider at the request of the individual concerned.

However, this approach introduces a greater degree of prescription to theNPPs than is currently the case. This may not sit comfortably with thehigh-level, cross-sectoral intent of the NPPs. It should be noted that if theAHMAC code becomes a schedule to the Privacy Act, the matter will be dealtwith by that means[83].

No amendment to the Privacy Act – encourage responses bystates and territories

Accepting the view that the transfer of medical records between health serviceproviders is a predominantly professional practice issue, the states andterritories (for example, through their medical registration boards) could beasked to set out providers’ obligations in this area.

Jurisdictions could determine whether to set out these obligations in statute orthrough other professional practice rules and mechanisms connected withprovider registration. There would be a need to consider how to ensurenational consistency for providers and their obligations across Australia,particularly for those operating (and sharing personal information) acrossjurisdictions regularly.

Adopt AHMAC code

It is anticipated that the draft AHMAC code will be considered by all Australianhealth minsters in 2005. Following this, the Australian Government couldadopt the AHMAC code. If so, the matter will be dealt with by that means.

No change

As this was not a high-profile issue in submissions, it may be appropriate tomake no regulatory change. Those responsible for health policy across alljurisdictions, as well as the Office, could monitor any emerging issues.

4.10 Recommendations: Transfer ofhealth records

33. The Australian Government should consider adopting the AustralianHealth Ministers’ Advisory Council (AHMAC) code as a schedule to thePrivacy Act. This will address the issue of the transfer of health recordsto another health service provider. (See also recommendations 13, 29and 35.)

34. The Australian Government should consider, if the AHMAC Code is notadopted into the Privacy Act, amending the NPPs to include a newprinciple along the lines of National Health Privacy Principle 11 in theAHMAC Code.

4.11 Access to health records whenhealth service ceases to operate

Law and policy

When introducing the private sector provisions, the Australian Governmentrecognised that ‘Australians consider their personal health information to beparticularly sensitive and that they expect that it will be handled fairly andappropriately by those who come into contact with it.’[84]

One element of fair and appropriate handling of health information is thatindividuals have a right to access information that a health service providerholds about them. Also, individuals ought to have some control over how theirinformation is handled and by whom.

These choices can be difficult to exercise when a health service providerceases to operate. Under common law, a provider generally retainsownership of the medical records they create.[85]However, this should notreduce an individual’s right to access their health information should they wishto do so in the context of NPP 6, including the prescribed exceptions togranting access.

Health services ceasing to operate

The Office has become aware of a number of cases where individuals havenot been able to gain access to their health information because their healthservice provider has ceased to operate. For example, a practitioner may haveretired, they may have died, or their practice may have closed. Records maybe left with other providers, or family members or executors of the previouspractitioner, for ‘safe-keeping’. In such cases, an individual’s right of accessto their health record can be difficult to guarantee.

In some jurisdictions, specific legislative provision is made for ‘abandoned’records to be retained by a central body, such as a medical registration board.For example, in Queensland, section 260 of the Medical PractitionersRegulation Act 2001 says the Board may take possession of records itconsiders abandoned.[86]In NSW, the Medical Practice Regulations 2003impose obligations on how medical practitioners should handle health recordsin the event of the disposal of a practice.[87]

In Victoria, the Health Records Act 2001 through Health Privacy Principle(HPP) 10 sets out obligations for health service providers when they cease tooperate. These obligations include advertising the fact of ceasing operationsin local newspapers.[88]

When a health service ceases to operate, this also brings into question aprovider’s data security obligations under NPP 4. There is a risk that‘abandoned’ records may not be afforded adequate levels of storage andsecurity.

What submissions say

Similar to the transfer of medical records, this issue did not figure prominentlyin submissions. During consultations, however, it was suggested that thismatter also could be addressed at the state and territory level. Again, areason for taking this approach is the registration of health service providersat the state or territory level, usually by registration boards or similar bodiescreated under state legislation.

The Investment and Financial Services Association (89) says that:

‘occasionally, our members encounter the situation where medicalrecords are not available because the GP has retired, died or moved.From an underwriting perspective we would strongly support a nationalpolicy whereby an individual’s medical records are retained in a centralbody when this situation arises’.

The inability for an individual to get access to their medical record because ahealth service has ceased to operate can affect not only their health careneeds, but also their ability to gain other services such as insurance.

Options for reform

Amend the NPPs – add additional principle

The Privacy Act could be amended in a manner similar to the Victorian HPP10 and the proposed National Health Privacy Code’s NHPP 10, by adding asimilar principle into the NPPs. Such a principle could require providers to docertain things to ensure access arrangements are in place upon the cessationof service, as well as to make individuals aware of how they can seek accessto their records.

No amendment to the Privacy Act - encourage responses bystates and territories

Similar to the approach suggested with the transfer of medical records, it maybe reasonable to take the view that the obligations upon providers forhandling health records generally is a predominantly professional practiceissue. States and territories (for example, through their medical registrationboards) could be asked to set out providers’ obligations for securing recordsupon cessation of a service, and to ensure that access arrangements aremaintained.

Jurisdictions could be asked to create central registers for securing andmanaging ‘abandoned’ records, in a manner similar to that created under theQueensland Medical Registration Board Act.

Adopt AHMAC code

It is anticipated that the draft AHMAC code will be considered by all Australianhealth minsters in 2005. Following this, the Australian Government couldadopt the AHMAC code. If so, the matter will be dealt with by that means.

No change

As this was not a high-profile issue in submissions, it may be appropriate tomake no regulatory change. Those responsible for health policy across alljurisdictions, as well as the Office, could monitor any emerging issues.

4.12 Recommendations: Health serviceceases to operate

35. The Australian Government should consider adopting the AHMACcode as a schedule to the Privacy Act. This will address the issue ofaccess to health records when a health service ceases to operate.(See also recommendations 13, 29 and 33.)

36. The Australian Government should consider, if the AHMAC Code is notadopted into the Privacy Act, amending the NPPs to include a newprinciple along the lines of National Health Privacy Principle 10 in theAHMAC Code.

5 Enforcing individual rights and ensuringcompliance

5.1 Introduction

For the private sector provisions to be most effective in protecting individuals’privacy and in promoting the public interest in privacy, organisations subject tothe private sector provisions should be complying with them.

The private sector provisions include a complaints process to enableindividuals to complain to the Privacy Commissioner if they believe theirprivacy has been breached. The Act also gives the Office a power toinvestigate, on its own initiative, if it thinks an organisation may havebreached the private sector provisions.

The scheme does not provide for strict black letter penalties or fines; nor canthe Commissioner specify how a particular organisation should comply withthe NPPs[89].

The Office also has a role in providing information and advice to organisationsto help them to comply. This issue is discussed in Chapter 6.

5.2 Law and policy

Approach to compliance

The Office takes the approach that compliance will be best achieved byhelping organisations to comply rather than seeking out and punishing the feworganisations that do not. It assumes that most Australian organisations inthe private sector wish to comply with their legal obligations. The Office’semphasis is therefore on providing advice, assistance and information.

This approach is set out in Information Sheet 13 – The Federal PrivacyCommissioner’s Approach to Promoting Compliance with the Privacy Actwhich is in Appendix 7.

However, the Office actively pursues cases when it identifies breaches of thePrivacy Act. It seeks to ensure that organisations remedy breaches andaddress complainants’ concerns, including by compensating them where thatis warranted.

To date the Office has made limited or no use of the more formal enforcementpowers, such as making complaint determinations or seeking injunctions fromthe court, or publicly ‘naming’ and ‘shaming’[90]. This is in part due to:

the Office’s strong focus on conciliation and alternative dispute resolutionas a means of resolving individual complaints

the fact that injunctions are more likely to be relevant in situations wherethere has been no individual complaint, there is significant and immediateharm and where the respondent is recalcitrant and

the generally good level of cooperation the Office has received when itpursues issues.

Complaints process

Process

The complaint handling framework set out in the Privacy Act, and reflected inthe Office’s approach, emphasises:

resolution between the organisation and the individual if possible[91]and

investigation and conciliation where complaints are taken to the PrivacyCommissioner or a code adjudicator.

If a complaint cannot be resolved by these processes the Privacy Act givesthe Commissioner a range of powers including the power to makedeterminations.

The Office currently receives approximately 1250 complaints per year.Approximately 66% of these are complaints under the private sectorprovisions.

Typical outcomes following conciliation include:

apologies

access provided and/or records amended

change in practice or procedure

staff training and

monetary or other compensation to redress actual loss or damage.

See Appendix 8 for information about the Commissioner’s powers ofinvestigation and Appendix 9 which includes statistics on how complaints arefinalised.

Where the Commissioner formally determines that an organisation hasinterfered with the privacy of a person, there are a number of options availableto address the issue[92]. The options include:

making a declaration that the organisation should not repeat or continuethe offending conduct

requiring the performance of any reasonable act or course of conduct toredress the loss or damage suffered by the person concerned and/or

requiring the payment of a specified amount by way of compensation forany loss or damage suffered by the person concerned.

Loss or damage can include injury to the person's feelings or humiliationsuffered by that individual.

If the organisation does not comply with a determination it may be enforced bythe Federal Court or Federal Magistrates Court[93].

Information about complaints

The Office publishes de-identified[94]case notes of some of its finalisedcomplaints that are considered to be of interest to the general public. Theyillustrate the types of cases resolved by the Office and usually involve a newinterpretation of legislation, illustrate systemic issues, or illustrate theapplication of the law to a particular industry. The case notes do not identifythe parties to the complaint. The Office has published 39 case notes sincethe practice commenced in December 2002.

The Office publishes Commissioner’s determinations in full but suppressesthe names of the complainant. It also publishes a variety of complaintstatistics and case studies on its website, and in its annual reports.

Powers supporting complaints process

The Privacy Act provides a range of powers and functions to support thecomplaint handling process and to encourage compliance with the provisions.These include the power to:

seek to enforce decisions made by code adjudicators or the Commissioner

initiate investigations without a complaint where there may be aninterference with privacy (own motion investigations)[96].

The Commissioner also has functions to provide advice and to undertakeeducation and awareness programs[97].

In addition, the Privacy Act also provides for the Commissioner or others toseek an injunction from the Federal Court or Magistrates Court to stop acts orpractices that may be an interference with privacy or to require action toprevent an interference with privacy[98].

This enforcement framework is essentially the same as that applying to theAustralian public sector since 1989, although with some variations, to reflectthe intention that these provisions be ‘light touch’. For example, the PrivacyCommissioner’s power to audit agencies, credit providers, credit reportingagencies and tax file number recipients is not replicated in the private sectorprovisions. Further, the Commissioner cannot report to Parliament the failureof an organisation to respond to any recommendations following aninvestigation under section 40(2) of the Privacy Act (own motioninvestigations).

Survey of complainants and respondents

The Office recently surveyed complainants and respondents seekingfeedback on the Office’s complaint handling process and suggestions forimprovements. The Office is now considering the responses and will feed thisinformation into the review of its complaint handling processes. An overviewof the survey responses is at Appendix 14. While to some extent responseswere coloured by the outcome of the complaint (that is, whether or not it wasupheld), many complainants were dissatisfied with the timeliness of theprocess.

Review rights

Commonwealth Ombudsman

The Office is subject to review by the Commonwealth Ombudsman withrespect to 'a matter of administration'. The Ombudsman often will resolve acomplaint through a process of conciliation, but when this is not possible, theOmbudsman has the capacity, through a report to the concerned agency, torequest remedies, for example, where the action:

appears to be contrary to law

was unreasonable, unjust, oppressive or improperly discriminatory

was in accordance with a rule of law but the rule is unreasonable, unjust,oppressive or improperly discriminatory

was based either wholly or partly on a mistake of law or of fact

was otherwise, in all the circumstances, wrong or

in the course of taking the action, a discretionary power had beenexercised for an improper purpose or on irrelevant grounds[99].

Administrative Decisions (Judicial Review) Act 1977

Complainants and respondents may apply to the Federal Court or the FederalMagistrates Court for a review of ‘administrative decisions’ made about aprivacy complaint under the Administrative Decisions (Judicial Review) Act1977 (ADJR Act). The ADJR Act provides quite a broad right of review.However, it is important to note that the ADJR Act reviews the processfollowed to make the decision, not the substance of the decision. The Courtcannot hear the matter afresh or substitute the decision of the Commissionerwith its own. Grounds for a review include a breach of the rules of naturaljustice, or excess of power, or error of law. If the court finds, for example, thatthere has been a misuse of power or error of law, the matter will be remittedback to the Commissioner for a reconsideration according to law.

Matters that could be the subject of an ADJR application include:

a decision that a privacy complaint will not be investigated, or investigatedfurther under section 41(1)(a)-(f)

a decision not to make a determination under section 52 and

failure to give to a person who is adversely affected by a decision thereasons for that decision.

Administrative Appeals Tribunal

There is no right of appeal to the Administrative Appeals Tribunal (AAT) inrespect of determinations about private sector organisations. The Privacy Actdoes provide a limited right of appeal to the AAT for a merits-based review ofthe Commissioner’s decisions where the respondent is a federal or ACTagency and only in relation to whether or not to make a determination that acomplainant is or is not entitled to compensation[100].

Review/enforcement by Federal Court or Federal MagistratesCourt

In addition to the above rights of review, where the Commissioner makes adetermination following an investigation of a complaint and the organisationdoes not comply with the determination, the Commissioner, code adjudicatoror complainant, may apply to the Federal Court or Federal Magistrates Courtsto have the determination enforced[101]. The courts will hear the matter afreshand apply their own decision.

However, there is no recourse to the courts if the Commissioner does notmake a determination or the respondent organisation has complied with adetermination (although, as noted above, the ADJR Act is available if theprocess by which the Commissioner made these decisions is consideredunfair or unlawful).

5.3 Issues

The issues paper suggested a number of topics for submissions related toenforcement and compliance. These included whether:

the Office’s overall approach to compliance/enforcement has beenappropriate and effective

the Office’s approach to complaint handling has been sufficientlytransparent and accountable

the Privacy Act provides appropriate rights for individuals as to how theircomplaint will be handled and the rights of review or appeal available and

the powers in the Privacy Act are sufficient, in particular to enforcecomplaint resolutions and/or deal with systemic issues, for example shouldthere be a power to make binding codes, or audit private sectororganisations[102].

5.4 What submissions say – issues

Approach to compliance

Support for approach

Many of the submissions from organisations and business or industry bodies,including Restaurant and Catering Australia (5), Promina (34), InsuranceCouncil of Australia (59), Coles Myer Ltd (60), Australian Bankers’ Association(70) and Optus (98) support the Office’s approach to compliance and arguethat it should continue. These submissions say that the Office’s approach hasenabled organisations to implement flexible policies to protect the privacy ofindividuals without hindering business development. They generally considerthat the right balance has been achieved.

In particular Restaurant and Catering Australia (5) commends the PrivacyCommissioner’s limited use of formal enforcement powers and its focus onthe cooperative resolution of issues. The Insurance Council of Australia (59)also supports the Office’s educative approach to complaint handling.

‘the effectiveness of the current dispute resolution mechanism hasresulted in few judicial decisions on the application and the privatesector provisions… [It] strongly supports the continued resolution ofcomplaints by negotiation’.

A number of submissions say that the approach should extend to complainthandling where the focus should emphasise information/advice andconciliation over legalistic determinations[103]. One confidential businesssubmission thought that existing enforcement powers including in relation todeterminations were a ‘powerful enough incentive for organisations tocomply’.

Approach ineffective

Submissions from the consumer and privacy advocacy groups, including theConsumers’ Federation of Australia (65), the Australian Consumers’Association (15) Electronic Frontiers Australia (51) and the Australian PrivacyFoundation (90) also note the low number of complaints. While the businesssector sees this as a positive indicator (see discussion below) thesesubmissions conclude that the educative approach deters individuals fromcomplaining. They say this is because individuals see no strong action orconsequences resulting from an organisation’s poor privacy performance.

Level of compliance

Level is about right

Many submissions from organisations and business groups argue that they ortheir members have taken significant steps to comply with the Privacy Act.They say that the overall level of compliance is good and the Office’sapproach was working well.

A number of these submissions outline the compliance steps they have takenand note the expenditure involved[104]. These submissions argue for thecurrent approach to be maintained. Some also sought more emphasis oneducation and/or guidance for consumers and organisations.

Many of these submissions argue that the overall low level of privacycomplaints they or their members have experienced is positive evidence of asatisfactory level of privacy compliance. They say this is particularly so takinginto account the number of transactions processed. Submissions noting lowcomplaint levels include Coles Myers (60), Optus (98) Sensis 84, ABA (70),SuncorpMetway (35), the Financial Planning Association (85), AustralianAssociation of Permanent Building Societies (91), Australian FinanceConference (63), the ANZ Bank (40) and the Insurance Council of Australia(59). Some submissions put forward statistics supporting this view. Forexample:

SuncorpMetway (35) advises that for the period November 2003 toOctober 2004 it received 9930 complaints of which 149 or 1.5% wereprivacy related

the Private Health Insurance Ombudsman (PHIO) (10) observes that in2003/04 it received 3000 complaints of which only 14 complaints wereabout privacy

the Australian Bankers’ Association (70) notes that one of its members‘reports its analysis of privacy complaints over the past 12 months asrepresenting just .0035% of its total customer base’

Coles Myer (60) says that given the low level of complaints it considers thecurrent compliance approach (and powers) to be sufficient.

‘The best protection for a customer…is the organisation’s desire tomaintain its reputation and competitive advantage in the market’.

On the other hand the Salvation Army Australia Southern Territory (74)suggests that low levels of complaints can be attributed to lack of awarenessof complaints procedure.

Level may not be adequate

In contrast, submissions from the consumer and advocacy groups, includingthose from the Australian Consumers Association (15) and the ConsumersFederation of Australia (65) express some strong concerns about the Office’sapproach to compliance.

It was also a theme in the Office’s public consultations that while manyorganisations are trying to comply some are not worried about implications ofa breach. Some saw this as a possible indication that compliance may not beas widespread and ‘deep’ as it could be. A participant at the Adelaideconsultation suggested that if the Office was to ‘out’ poor privacy performancethis would then be a point of difference between businesses for consumers toconsider; privacy would matter more to business[105]. Another participantstated that it is difficult to talk some company boards into being privacycompliant when no schedule of penalties attach to the NPPs and commentedthat ‘if you had audit powers, we might be able to convince our boards tocomply’[106].

In a similar vein, the Consumers’ Federation of Australia (65) and theAustralian Consumers’ Association (15) assert that the Office approach tocompliance and the lack of visible enforcement of privacy rights means thatorganisations are lax about compliance with privacy obligations.

Others support the view that there is no incentive to correct system flaws andthat it is easier to simply respond when (the very few) complaints come inrather than comply in a systemic way.[107]

Comments from some submissions suggest that for smaller businesses,privacy may not be a high priority in the midst of other regulations. Forexample (83) observes that:

‘All business in Queensland currently negotiates a raft of government(local/state/federal) regulations. For smaller enterprises theseregulations are often seen as annoying diversions to the primarypurpose of the business: at times they can be very daunting andcostly’.

The Australian Chamber of Commerce and Industry (22) makes the similarpoint (in arguing against the removal of the small business exemption):

‘that privacy compliance costs would be additional to the myriad ofother compliance burdens stemming from legislative or regulatoryrequirements, be they in relation to occupational health and safety,industrial relations or, in particular, taxation’.

In general, the perceived lack of enforcement mechanisms in the Privacy Actespecially in relation to determination enforcement is a matter of strongconcern amongst the advocacy and consumer groups[108].

Office does not use existing powers

Submissions, from Professor Graham Greenleaf (47) and some consumerorganisations note the very limited use the Office makes of theCommissioner’s power to make determinations. As discussed elsewhere,submissions focus on the perceived lack of procedural fairness andtransparency flowing from the lack of determinations.

Professor Graham Greenleaf argues that the limited use of determinationsequates to a failure to visibly enforce the law with consequent impact onculture of compliance, compliance risk assessment and so on.

Systemic issues not being addressed

Incidence of systemic issues

Some submissions say that the Office has not paid enough attention to fixingsystemic issues, which are causing a large number of complaints. Thesesubmissions suggest that the Office needs to consult more regularly withconsumer groups to identify systemic issues and to formulate ways ofaddressing these issues with foresight, instead of merely dealing withcomplaints once they have arrived at the Office's door.[109]

On the other hand a few business submissions are sceptical about theincidence of systemic issues. The Australian Bankers Association (70), inreferring to a member banks’ analysis of privacy complaints states thatprivacy complaints represented 0.0035% of its total customer base and thatthe complaints had no real pattern, indicating that there were no systemicproblems. It states that many of the complaints involved ‘isolated instances ofhuman error’.

Systemic issues and complaints process

A number of submissions are concerned that the Commissioner has limitedability to address broader systemic issues as a result of the Privacy Act’sstrong focus upon individual complaints.

The Consumer Credit Legal Centre (62) and the Consumers’ Federation ofAustralia (65) state that reliance on individual or even representativecomplaints is ‘inefficient’. The Australian Consumers’ Association (15) raisesconcerns that the complaints focus disconnects the Office from systemicissues. It argues that the Commissioner should have the power to addresssystemic problems outside the context of resolving an individual complaint.

The Consumer Credit Legal Centre (62) and the Consumers’ Federation ofAustralia (65) states there is no incentive to correct systemic flaws:

‘In most cases, the worst outcome for a respondent is to amend therecords. With respect to credit reporting, the cost of dealing with asmall number of complaints is apparently less than the cost of ensuringthe data is accurate in the first place’.

The Australian Privacy Foundation (90) argues this as well.

While not specifically relating to the NPPs, the Consumer Credit Legal Centre(NSW) (62) raises particular concerns that the Commissioner is not effectivelyusing powers to deal with systemic issues in the credit reporting sector.

The Australian Consumers’ Association (15) argues that over time moreenforcement of systemic issues may lower the number of complaints.

More information when systemic issues raised

A number of submissions[110]raise concerns about the lack of informationprovided when systemic issues are raised with the Office. The ConsumerCredit Legal Centre states:

‘we are concerned about the lack of information provided to us whenwe raise issues of what we believe may be a repeated or systemicproblem. While our client’s problem may be resolved, we are rarelyadvised whether there has been any response to what might be abroader problem with a particular credit provider’.

Some also suggest that there is some failure on the part of the Commissionerto recognise the seriousness of broader systemic issues raised by consumergroups and NGOs, accompanied by the suggestion that these groups wantcloser interaction with the Commissioner.

Not enough powers to ensure compliance

A number of submissions put the view that at present the Privacy Act does notprovide sufficient powers to ensure that businesses are aware of theirobligations to protect privacy, or know how to implement them in practice andcarry through on implementation. They note the lack of audit powers in theprivate sector provisions and they comment on what they see as a fact thatthe Office cannot require organisations to comply with ‘own motioninvestigations’ the Office undertakes[111].

Ineffectiveness of determinations for compliance and systemicissues

A number of consumer and privacy advocacy groups comment on theeffectiveness of determinations in addressing systemic issues in the light ofthe Commissioner’s determinations in April 2004 following representativecomplaints about a series of issues arising from the operation of tenancydatabases.

The Tenants Union of Victoria (23) claims that evidence suggests thedeterminations have failed to achieve compliance. It notes that in order toachieve compliance an application must be made to the Federal Court, whichis both time and resource intensive.

In addition, it claims that determinations are unlikely to be effective in theawarding of small compensation payments and most importantly,determinations are only applicable to the individual complaint, not to industrywide practice.

Submissions from advocacy groups and representatives[112]are concernedabout the implications of the Privacy Commissioner’s view[113]that adetermination under section 52 cannot require a respondent to do somethingor refrain from doing something unless the activity relates to matters raised bythe complainant.

They are concerned that this view means that the Office cannot addresssystemic issues raised by a complaint. For example, the Tenants Union ofQueensland (69) states that:

‘this can, and has in our view, result in a ‘cat and mouse’ gamewhereby the respondent makes changes, but not those recommended,but still fails to meet the requirements of the NPPs. Aggrieved partiesand their advocates are left to raise new complaints and the process isperpetuated [114].’

Professor Graham Greenleaf (47) makes similar points. He notes thatrespondents are free to ignore recommendations and the only remedy forindividuals is to then make a further complaint and that:

‘this could end up in a continuing charade whereby the respondent istold what he cannot do, but cannot be giving binding directions as towhat they must do’[115].

The overall view from consumer/privacy advocate submissions is thatrepresentative complaints, whilst useful in raising systemic issues, were notviewed as being effective in addressing broader systemic issues as thePrivacy Act does not provide the Commissioner with a power to enforcesystemic remedies.

However, the Investment and Financial Services Association Ltd (89) opposesany proposal to implement systemic remedies as it sees that the currentapproach is working effectively. Telstra (110) approves of the focus of theNPPs being on interference with the privacy of individuals and submits thatthe current powers of the Commissioner are sufficient.

Complaints process

Process is not transparent

Lack of transparency in the complaints process was a major focus of manysubmissions[116].

People don’t understand the process

Professor Graham Greenleaf (47), the Consumers' Federation of Australia(65) and the Australian Privacy Foundation (90) argue that the Office’scomplaints process lacks transparency because the Office does not publish amanual which outlines the Office’s policies and procedures when itinvestigates and resolves complaints. They say that, as a result the parties tocomplaints can only infer these procedures and policies from the piecemealinformation that is publicly available.

People don’t know what decisions are made or why

A number of submissions say that people do not know enough about theoutcomes of complaints. They say the consequences of this are:

complainants and respondents do not know how the Office interprets thePrivacy Act or what remedies are attainable. Therefore, individuals do notknow what arguments to raise or whether their complaint is worth pursuingthrough the Office

it is difficult to monitor the adequacy and fairness of the Office’s decisionsand remedies; and any mistakes made in the Office’s decision makingprocesses are not exposed

legal jurisprudence is not developed in this area of the law and anydeficiencies in the law, which may require law reform, do not becomeapparent and therefore do not get addressed.

Professor Graham Greenleaf (47) observes that there is no publicly availablecriterion which reflects how the Office selects complaints for publication.

Submissions from privacy advocates and consumers,[117]observe that the lackof reported statistics on some aspects of the complaint process means thatthe nature of remedies that complainants achieve is not widely known nor is itpossible to assess the Office’s overall performance in complaint handling.The Fundraising Institute Australia Ltd (52) makes a similar observation.

Some submissions observe that while the published statistics in the2003-2004 Annual Report show the number of complaints received andclosed and the basis for closing the complaint, there is no indication of thenature of resolutions achieved.

Fairness of process

No review power

Submissions from consumer and advocacy groups, for example, ProfessorGraham Greenleaf (47), Consumer Credit Legal Centre (NSW) Inc (62), andthe Australian Privacy Foundation (90) note the lack of a right of review forcomplainants or respondents in relation to section 52 determinations made bythe Commissioner.

This issue is set out in detail by Professor Graham Greenleaf (47). Thesubmission includes the following observations.

‘In my submissions to the Government and to Parliament on the Billleading to the private sector provisions I stressed (as did othercommentators) that the lack of any right of appeal against section 52determinations (to the Federal Court, Federal Magistrates Court, or atleast to the AAT), was extremely unfair to complainants.’

The submission goes on to say that as is noted by the Office’s issues paper,one of the reasons for this unfairness is that:

‘Respondents have the possibility of having a case heard afresh byrefusing to comply with a determination and waiting for theCommissioner to seek to have the case enforced in court. However,this strategy is not available to an aggrieved complainant. Quite apartfrom the inherent bias towards respondents in the Act as it stands, it isunfair and is unnecessary that there should be no appeal fromdeterminations by the Privacy Commissioner.’

Another common concern in the submissions is the Privacy Act’s lack of amerits-based review process for decisions made under section 41.Submissions say this is particularly a concern, for example, where theCommissioner chooses not to investigate, or investigate further, a complainton the basis that the Commissioner considers that the respondent hasadequately dealt with the complaint, regardless of whether the complainant issatisfied with the respondent’s response.

A few submissions, for example from the Chamber of Commerce andIndustry, Western Australia (77) argue that the lack of an appeal rights is notunique to the Privacy Act and that it is not clear that it is problematic.

Ending partially complete investigations

Professor Greenleaf (47) submits that there is a lack of procedural fairness inthe complaints handling procedure in that the Office may complete partialinvestigations and then decline to investigate a matter further. In his viewprocedural fairness can only be ensured if the proper process is in place forthe Commissioner to make a formal determination in such cases. Indeed thesubmission asserts that individuals should be able to insist on the Officemaking a final determination on a complaint.

Process is too bureaucratic

The Consumers' Federation of Australia (65) and Australian PrivacyFoundation (90) say that the Office is overly bureaucratic in requiringindividuals to first raise the specific issues with the respondent before theOffice will handle the complaint.[118]The submissions report that, in somecases, this involved writing to the respondent, or respondents severaltimes[119].

People are confused about who to complain to

Some submissions from business, government and consumer organisationsand from individuals in the health and telecommunications sectors, outlinedthe difficulties experienced because a complaint could be pursued in anumber of forums.

In particular, Telstra (110) notes that its customers could complain to theTelecommunications Industry Ombudsman (TIO) and the AustralianCommunications Authority or the Privacy Commissioner. In its view thenumber of possible complaint bodies causes confusion and additional costs.Its preferred view is that the Privacy Commissioner should be the body of lastresort and should only get involved after the TIO had considered the matter.

The Department of Health and Ageing (99) put a similar view in relation tocomplaints in the health sector noting that there was a lack of clarity anddefinition relating to recourse when consumers feel privacy has beenbreached. It sought a more consumer friendly approach for dealing withprivacy complaints, for example it encourages the Office to develop aMemorandum of Understanding with Health Complaints Commissioners.

However, submissions from regulators with overlapping jurisdiction were morecomfortable with the operation of the current arrangements. For example theAustralian Competition and Consumer Commission (ACCC) (128) commentsthat although some complaints may fall within both jurisdictions, this has notbeen a barrier to resolution. It notes that the Office and the ACCC generallyrefer complaints to one another and the Memorandum or Understanding hasassisted in this.

The Australian Communications Authority (94) says that the lack of clarityabout jurisdictional responsibility has not been a barrier to resolution ofcomplaints as parties generally liaise closely and adopted a co-operativeapproach. However it notes:

‘from a consumer’s point of view, some confusion may arise over whichagency a person should make their initial complaint to. Additionally,this lack of jurisdictional clarity has the potential to significantly delay orcomplicate investigation of complaints and is potentially wasteful ofagency resources’.

‘We are aware of consumer advocate criticism of the long delays ofmatters raised with the Commissioner. We share these concerns. . . . wewould recommend the Commissioner be sufficiently resourced to:

Ensure complaints are allocated in an expedient way and

To educate individuals that direct contact with the privacy manager atthe company involved is the preferred way to resolve an issue.’

Likewise the Australian Finance Conference (63) says:

‘…on the more specific level of complaint handling involving ourmembers individually, there has been concern expressed about thedelay in raising the complaint with the member. . . . we recognise thatthe limitation on the resources of the OFPC may have impacted.’

Other submissions are also concerned about delays in complaint handling.[120]

A confidential submission from an individual highlights the frustration they feltwhilst waiting for their complaint to be investigated. The AustralianConsumers’ Association (ACA) (15) notes it is:

‘aware of and concerned by the delays and queues that havecharacterised complaints handling by the Office over the term of thereview. These in turn may well have fed back into a public perceptionof the Office as being incapable of delivering a satisfactory outcome’.Further, the ACA states a belief that ‘the OFPC has a high rate ofdiscouraged complainants, abandoned complaints and unhappyconsumers’.

Tenants’ Union of Queensland (69) says that the ‘resource issue needs to beaddressed to allow the Office to discharge its complaint handling function andembed a ‘real respect’ for individual privacy into Australian businesses.’

Respondent organisations are also aware of the problems that have arisendue to the underperformance of the complaint handling function. The ANZ(40) says, that in one case there was a period of 12 months between the timethe Office had told an organisation that the complainant had written to theCommissioner and when the complaint was finally forwarded to therespondent.

The ANZ Bank (40) highlighted two problems caused by delay in itssubmission, in particular:

delays can have the unintended impact of undermining trust in the regimeand lead to calls for a stronger legislative approach, when all that isneeded is full use of existing powers and processes and

delays can also impact the bank’s relationship with its customer; especiallywhere we are unaware a complaint has been made.

Respondents emphasise that swift resolution of complaints is essential toensure confidence in the Office and the law.

A number of submissions highlight the fact that prolonged delays in complainthandling reduce the success of complaint resolution and make it difficult to‘mend’ the relationship with the complainant[121].

5.5 What submissions say – addressing issues

Transparency

Publish complaints manual

A number of submissions, including Professor Graham Greenleaf (47) theAustralian Privacy Foundation (90), the Consumers’ Federation of Australia(65) and the Consumer Credit Legal Centre (62) say that in order to cast morelight on the way that the Office handles complaints the Office should publishonline a comprehensive manual of its complaint resolution policies andprocedures, and keep it up-to-date.

Publish more about complaints outcomes

Submissions concerned about lack of transparency call for better reporting ofthe Office’s processes and complaint outcomes in terms of statisticalinformation and more detailed real life examples of closed complaints andhow they were resolved.

A number of submissions state that while there has been a marked increasein the number of case notes published on the Office’s website, there is still aneed for more examples of real life cases which represent the range ofcomplaints which the Office receives. In addition, these submissions seekdetailed information about how complaints are resolved to assist readers tounderstand the legal issues involved and the Commissioner’s reasoningleading to a resolution[122].

Submissions acknowledge that publication of case notes detailing aconciliated outcome may adversely affect the conciliation of a complaint.However they argue this may be overcome by de-identifying complaints or ifnot possible, considering publication of complaints on a case by caseassessment.

To achieve a more systematic approach to the publication of case notes,Professor Graham Greenleaf (47), the Australian Privacy Foundation (90),Consumer Credit Legal Centre (62), the Consumers’ Federation of Australia(65) recommend that the Office adopt a ‘Criteria of Seriousness’ and confirmits adherence to this criteria in the Office’s Annual Report. ProfessorGreenleaf (47) also recommends that the Office:

continues to publish statistics on provisions used to dispose of complaintsand to publish additional information, such as listing the laws relied uponunder section 41(1)(f) and

publishes statistics of the remedies obtained including the number ofcases in which compensation was paid and the amount.

Greater use of existing powers

More proactive

The Consumer Credit Legal Centre (62) states the Office should be moreproactive in addressing systemic issues. The Consumer Credit Legal Centre(62), and the Consumers’ Federation Australia (65) state that reliance onindividual or even representative complaints is ‘inefficient’.

More determinations

Professor Greenleaf (47) says that there would be more transparency in thecomplaints process if the Office made greater use of its power to makedeterminations.

More own motion investigations

Many advocacy and consumer groups submit that the Commissioner shouldmake greater use of available powers, including the own motion investigationpowers, to address systemic issues. The Australian Privacy Foundation (90)states that:

‘Problems that we see constantly repeated over many years are notbeing adequately addressed. It should not be necessary to keepbringing individual or even representative complaints, which are a veryinefficient way of addressing systemic problems. Instead, the OFPCshould be more pro-active in addressing systemic issues using herown-motion investigation powers’.

Fairness

More review

Professor Greenleaf says that both the complainant and the respondent to aprivacy complaint should have a right of appeal against any section 52determinations, in the form of merits review. This could be either to theFederal Court, Federal Magistrates Court, or the Administrative AppealTribunal. Other submissions also support this, for example, Consumer CreditLegal Centre (62) Australian Privacy Foundation (90), Professor GrahamGreenleaf (47) and the Electronic Frontiers Australia (51).

Right to ask for complaint to go to a determination

Professor Graham Greenleaf (47) argues that if the Commissioner dismissesa complaint under section 41(2)(a) of the Privacy Act on the grounds that theCommissioner is satisfied that the respondent has dealt adequately with thecomplaint, the complainant should be able to insist that the Commissionermake a determination under section 52 of the Privacy Act. A number of othersubmissions also support this.[123]

Professor Greenleaf says that if compensation was involved, this would givethe complainant a right to appeal the amount to the Administrative AppealsTribunal.[124]If the respondent was found in breach of the Privacy Act thecomplainant would have the satisfaction of having the breach publiclyacknowledged, even if other remedies were not awarded. He says that thePrivacy Act should be amended to clarify that the complainant has this right.

Mixed views about whether the Office should make more use of thedeterminations power were evident at the Darwin stakeholder forum andincluded that:

the fact that few determinations have been issued suggests that no morepowers are needed

more powers are not needed

the occasional ‘fright’ is needed to keep organisations in line.

More help to complainants – streamline process

The Australian Privacy Foundation (90) says there should be an expresspower for the Office to ‘sort out’ what principles have been breached and whois the appropriate respondent. The submission argues the onus should not beon the complainant as responsibilities for handling personal information canbe confusing.

Improving levels of compliance

Powers to enforce own motion investigations

The Australian Consumers’ Association (15) says that the Commissionershould ‘be able to enforce any directions given in relation to findings after anown motion investigation’ which ensures that ‘light handed’ interventions bythe Commissioner have the ‘weight of possible further action attached tothem’.

Power to audit private sector

The Australian Consumers Association (15), the Consumers’ Federation ofAustralia (65), Tenants’ Union of Queensland (69), Australian PrivacyFoundation (90), and Xamax Consultancy Pty Ltd (3) see an extended auditpower as one of a number of necessary strands to a greater level ofcompliance. Others also argue that an audit power is a necessary responseto what they perceive as a current lack of confidence in the community in theCommissioner to protect privacy.

Power to issue binding codes

The Australian Consumers’ Association (15) says that in order to be able toaddress systemic issues the Office should have the power to issue a standardor binding code.

The Australian Bankers’ Association (70) is opposed to this idea. It states thatit ‘would not support the Privacy Commissioner having an “own motion” powerto initiate a Privacy Code affecting banks.’ It argues that ‘from the ABA’sperspective the NPPs are working well and this issue is perhaps a matter forother industry sectors to address’.

Other powers to deal with system issues

The Australian Consumers’ Association (15) says that the Office should:

have the capacity to address systemic privacy problems outside thecontext of resolving an individual complaint

be able to find an organisation that breaches privacy provisions

be able to seek court enforceable undertakings.

Review of resources

A number of submissions[125]identify that funding to the Office should bereviewed by the government and increased to a level that allows the Office tocarry out its functions in an expedient and efficient manner.

The Australian Consumers Association (15) suggests the establishment of aresource stream:

‘to the dispute resolution activities…that is commensurate with andscales to meet the volume of complaints coming to the Office.Preferably this funding would be provided by a scheme wherebyorganisations complained against bear the cost’.

Are levels of compliance adequate?

Level of compliance

There are grounds for arguing that there is a satisfactory level of compliancewith the private sector provisions among organisations. For example, there isevidence that many organisations have taken substantial steps to ensure thatthey comply. There is also evidence that businesses have made some stepstowards compliance. For example, many organisations provide theircustomers with privacy notices.

Submissions also indicate that they receive very few complaints relative to thenumber of transactions they process. It may also be argued that the Officereceives few complaints considering the number of transactions taking placein the private sector.

The Office accepts these points. In particular it acknowledges that thenumber of privacy complaints received is very small given the millions oftransactions involving personal information each day. It also acknowledgesthat many organisations are taking significant steps to comply.However, it cannot be assumed that as a result of these factors, the level ofcompliance in the private sector is at an optimum level.

Complaints as an indicator of compliance

It may not be appropriate to draw definitive conclusions from the current lowlevel of privacy complaints. There are complex reasons why people do notcomplain, and low complaint numbers are not necessarily indicative of highlevels of compliance. Reasons why individuals may not complain mayinclude:

individuals are not motivated to complain for a range of reasons includingthey have not suffered significant loss or damage

individuals are not aware of the breach

although the submissions report low complaint numbers the Office is not ina position to know if this applies across the board and, more specifically,how many complaints are made direct to organisations and are resolved atthat level

difficulty in lodging a complaint with the organisation (that is, no privacycontact officer).

Some commentators’ views on this area indicate that most dissatisfiedconsumers never complain[126]. A United States program, the TechnicalAssistance Research Program (TARP) has also suggested as many as 95%of dissatisfied customers do not complain to the company concerned[127].While companies may assume that a small number of complaints means thatconsumers are satisfied and that there are no systematic problems, TARPrefers to this as the ‘tip of the iceberg’ phenomenon[128]. In addition, accordingto Hyman et al:

‘only a portion of the problems/defects that exist are actually perceived;only a portion of those perceived are voiced; only a portion of thosevoiced gain access to a complaint-resolving party; and only a portion ateach stage are resolved successfully[129].

Research shows that while some dissatisfied consumers will voice theircomplaints to the company concerned, others complain by word of mouth tofriends, family members, neighbours and their community[130]. Others, insteadof complaining, will simply change providers[131]. In that case, it could beargued that the provisions and ‘the market’ are working.

Factors such as the effort required to confront the organisation and toarticulate the problems as well as anxiety over what may happen when theorganisation is confronted have been raised as reasons why individuals wouldnot make a formal complaint to management[132].

Compliance may be uneven

It is clear that the banking and insurance sectors have paid considerableattention to privacy compliance. However, there is anecdotal evidence fromother submissions, the consultations and the Office’s own experience thatsuggests that the depth of privacy compliance is not uniform and that someorganisations may not be following up initial compliance efforts or may nothave implemented privacy requirements at all. The Office notes here thecomments in some submissions about the overall compliance environment.These include the lack of incentive in the Privacy Act and the Office’sapproach to compliance for many organisations to implement privacy in asystemic way and the complexity of the regulating environment in general.

As some submissions pointed out earlier, smaller businesses often see theraft of government, local and federal regulations, including occupational healthand safety and particularly taxation, as annoying, costly and expensivediversions to the primary purpose of business.[133]. Complying with privacyrequirements, particularly if regarded as a low risk issue, is likely to be a lowerpriority than such matters as taxation or other more immediate regulatoryconcerns.

Monitoring compliance

The Office has limited ability to objectively assess current levels ofcompliance. This is in part because the Commissioner’s monitoring powersare limited. The Office does not have the power to do random checks onorganisations to see if they are complying. The currently availableinvestigative options are the own motion power, which can be triggered wherethere may be an interference with privacy and the Commissioner considers itdesirable to investigate, or by undertaking an audit by invitation[134]. The Officecould also rely on its educative functions to seek information via surveys,consultations and the like.

Also, in line with the ‘light touch’ approach of the private sector provisions,organisations do not have any obligation to report to the Office on theircompliance.

Is change needed?

Concerns raised in submissions and from the Office’s own experiencesuggest that there is room for improving compliance and its complaintsprocess. This can be done in a way that increases the incentive forbusinesses to comply while having little impact on organisations that areactively and fully complying. These could include greater guidance andeducation and awareness programs and improving existing processes, as wellas strengthening enforcement powers.

Enforcement powers

The House of Representatives Standing Committee on Legal andConstitutional Affairs[135]noted without making a formal recommendation, thatthere appeared to be some limits to the enforcement regime in the PrivacyAct.

This is supported by the Office’s experience that more directive powers maybe desirable particularly where systemic issues arise, either in the course of acomplaint, or in the context of an own motion investigation.

The Office’s experience also indicates that while a vast majority oforganisations comply with the Offices directions when it finds a breach, thereare some that do not. Although this occurs in few cases, the failure to complydevalues the privacy scheme and reduces the incentives for others to complyand also means that organisations that do comply do not receive the fullbenefit of their conscientious behaviour in terms of level playing fields.Apparent lack of enforcement also discourages individuals from complaining.

A more active and transparent approach

The benefits that are likely to flow from a more transparent and activeapproach to compliance could include:

increase in public confidence in the Privacy Act because serious issues orrecalcitrant organisations are seen to be dealt with

businesses making serious efforts to comply would not be disadvantaged,that is the playing field would be more level

there would be more published information about how the Office appliesthe Privacy Act.

Systemic issues

The Office has a strong focus on individual complaints although it does alsorespond to systemic issues raised in complaints or identified by other meansto the extent possible. The focus on individual complaints is in part becausecomplaint investigation is a non-discretionary function.[136]

There is some evidence that the Office’s limited focus on systemic issues andits lack of power to deal with systemic issues is out of step with best practicefor complaint handlers. For example Louise Sylvan (then of the AustralianConsumers’ Association) in representing to the 2003 National DisputeResolution Advisory Council Conference[137]in identifying good practice incomplaint handling noted that:

‘A scheme must be underpinned by a comprehensive and efficientcomplaints handling mechanism. Systemic analysis is required whichseeks to eliminate systemic recurrence of issues and to achieveresolution with finality….. the addressing of systemic issues topreventing recurrence, and public reporting (or name and shame)’.

A greater focus on analysing complaints, following up leads, conducting moreown motion investigations to identify systemic issues and so on could alsofeed into education and guidance activities.

The Office has had some notable successes in encouraging organisations tomake systemic changes to systems and practices[138]. However, the Office hasexperienced difficulties in dealing with systemic issues in particular cases.For example there have been a number of cases involving the handling of oldmedical records both in terms of security and in ensuring that individuals cancontinue to access their records.

The Office has also encountered difficulty in dealing with privacy issuesarising from the operation of tenancy databases. For example, theCommissioner cannot require tenancy database operators to take a particularset of compliance actions either in the course of a determination or followingan own motion investigation.

5.6 Options for reform

More education and awareness

As outlined in Chapters 4 and 6 of this report, there is considerable room forgreater education and awareness among organisations and consumers.Better informed consumers are likely to ask that organisations comply withtheir obligations. Also, if consumers demand this, businesses are more likelyto see the business advantage in practicing good privacy. Also, it may be thatsome smaller organisations are still unaware of their need to comply with theprivate sector provisions, or even if aware, unsure how to go about complying.The recommendations in Chapter 4 and 6 relating to a new consumer andbusiness awareness program are likely to have some impact on the level ofbusiness compliance.

Increase transparency in complaints process

Publishing more information

Good reasons for publishing more information

The submissions seeking greater transparency made a number ofsuggestions for reform. In general, the objective of greater transparency,short of routinely naming both parties, in complaint handling processes andoutcomes, is likely to benefit both complainants and respondents. Individualsand organisations will be negotiating with greater knowledge of likelyoutcomes. Organisations and their advisors will have more detailedinformation about how to comply. The Office’s decisions would be more opento scrutiny. However, it does not appear to be common practice for regulatorsto publish manuals which set out in great detail their complaints processes.

Publishing Outcomes of Conciliation/Complaints in otherjurisdictions

Many complaints bodies publish de-identified case notes or similar. Howeverthese vary in length and number. Australian complaint-handling bodies thatpublish a select number of de-identified case notes include Office of theVictorian Privacy Commissioner, the Anti-Discrimination CommissionQueensland. The Office of the New South Wales Privacy Commissioner doesnot publish any case notes or report on conciliated complaints. The full textsof cases that have gone through the New South Wales AdministrativeDecisions Tribunal are publicly available.

Decisions made by the Human Rights and Equal Opportunity Commission(HREOC) between 1985 and 1999 are available on the Australian LegalInformation Institute website. From 2000, the public hearing anddetermination process was passed to the Federal Court of Australia. Thesedecisions are available online through the Federal Court of Australia’s websiteand the Federal Magistrates Service website. HREOC also maintains a de-identifiedregister on its website of all conciliated cases[139]. The complaintsummaries in this register provide information about the terms of settlementincluding the amount of compensation awarded, if any.

The New Zealand Privacy Commission and the Office of the PrivacyCommissioner for Personal Data, Hong Kong publish a number of de-identifiedcase notes on their websites. The Office of the PrivacyCommissioner of Canada publishes de-identified case notes for both settledand early resolution cases. The Canadian Commissioner has also publishedan incident summary. This is a summary of a case which is not the subject ofa complaint but has been brought to the attention of the Commissioner(similar to an own-motion investigation under the Privacy Act).

It would appear from this survey that publishing more information would bringthe Office more closely into line with other complaints handling agencies.However, it does not appear to be common practice to publish in a way thatincludes identified information.

The Office could maintain a de-identified register of the outcomes of all thecomplaints it conciliates. It could provide more information about the outcomeof all complaints or it could continue to produce case notes.

Review use of determination power

Making more determinations would address a number of concerns about thetransparency and fairness of the current approach to complaint handling. Itcould particularly address concerns expressed about situations where thecomplaint does not seem amenable to resolution by conciliation or wherethere is a public interest in proceeding to a determination. This approachcould also provide a solution to the expressed concern of some consumersand advocates that the enforcement of the Privacy Act is ‘soft’.

In addition to promoting confidence for consumers, there would be clearbenefits for organisation in terms of certainty. There would be more publisheddecisions on how the Privacy Act applies.

The possibility of finalising more complaints by determination could haveresource implications for organisations and the Office. Determinations,particularly where they involve oral hearing are potentially more costly for theOffice to administer. The Office could focus more directly on monitoringcompliance with determinations and if organisations do not comply, in seekingenforcement through the Courts.

More external review

Providing additional appeal rights may create a fairer process for individualcomplainants in areas where currently there is no review. It could creategreater transparency and scrutiny for the Office’s decisions on the privatesector provisions. Although industry based complaint handlers do not havereview rights, the lack of merits review for the Office’s key decisions,particularly determinations, appears to be out of step with other governmentbased authorities.

For example, the Privacy Act, when compared to other statutes providing for aright of complaint, is unusual both in terms of containing a power to make finaldeterminations about a complaint and in providing limited avenues of appealto judicial decision. Appendix 12 sets out the position in relation to a numberof similar statutes. The role of positions similar to the Commissioner’s is moreoften to attempt to resolve a complaint by conciliation. Where conciliation failsor is not possible the more usual process is a court hearing withaccompanying rights of appeal.

On the other hand, it might be said that creating appeal rights might result in amore legalistic and burdensome process which is not consistent with a ‘lighttouch’ scheme. It could be argued that rights of appeal that do exist have notbeen very much used, and so creating additional ones is unnecessary. Also,the Commissioner is in effect a body of appeal (from decisions made by theorganisation) and that it would be unnecessary to provide additional levels ofappeal, particularly given that the process the Commissioner uses isseparately subject to ADJR Act review. In this regard it is worth noting thatthe Parliament provided for determinations by code adjudicators to bereviewable by the Commissioner[140].

The question of appeal rights was considered by the House ofRepresentatives Standing Committee on Legal and Constitutional Affairswhich inquired into the Privacy Amendment (Private Sector) Bill 2000[141]. TheCommittee mentioned a number of issues, including concerns aboutperceived lack of appeal rights in respect of the enforcement regime in thePrivacy Act. It also noted that some witnesses expressed concerns about theappeal framework as framed in the Bill, including higher compliance costs forbusiness compared to an industry scheme with no appeal rights and thethreat of judicial review would make complaint handling bodies more formaland legalistic.

The Committee noted both set of concerns. While its report did not make arecommendation, and consequently the Government response to the reportdid not consider the issue, it did note that the enforcement and appealprovisions in the Bill appeared to need further attention[142].

As discussed in this report, the Commissioner is reviewing the Office’scomplaint handling process, including the circumstances in which complaintswill be finalised by determination. These circumstances could include wherethe complainant and respondent cannot agree on a resolution by conciliation.This change in approach, which would not require changes to the Privacy Act,and may meet one stream of concern in the submissions about lack of reviewrights.

Fairer process

Some submissions identify areas where the Office’s complaint handlingprocesses seem overly bureaucratic, for example where the complainant hasnot identified the correct respondent and is told they need to take this stepbefore the Office will respond.

There would be clear value in looking at the process to ensure that it meetsexternal standards for complaint handling and alternative dispute resolution(ADR) and to make it more user friendly for both parties where the law andresources allow.

Make better use of existing powers

Greater use of own motion powers

Existing practice

The Office undertakes own motion investigations in a range of circumstances.Typically, the Office becomes aware of these matters through reports byindividuals, or the organisation concerned or through the media. In somecases, the Office also follows up matters that have been identified throughcomplaints.

The table below shows the total number of own motion investigations loggedon the Office’s complaint handling system over the past five years. Not allincidents logged are investigated. The Office applies risk managementcriteria that include, the seriousness of the incident and the number of peopleaffected (see Appendix 10 for more details about the Office’s use of the ownmotion power).

Table: Number of own motion investigations and complaints registered

Time period

No of OMIs

Complaints (not including OMIs)

1 July 2000 – 30 June 2001

10

194

1 July 2001 – 30 June 2002

48

611

1 July 2002 – 30 June 2003

64

1090

1 July 2003 – 30 June 2004

69

1276

1 July 2004 – 1 Feb 2005

59

724

Value in more own motion investigations

Undertaking more own motion investigations would be a practical way ofaddressing systemic issues independently of complaints. However, doing thiswould have an impact on the Office’s resources. In addition, for theinvestigations to be of greater benefit, the Office would need to have thepower to direct organisations to address any issues found and then to enforcethose directions.

It may be that if the Office carried out more own motion investigations withenforceable directions, this would be sufficient to enable it to addresssystemic issues.

Power to enforce own motion investigations

Problems caused by lack of enforcement power

The Office has experienced some difficulties in dealing[143]with potential privacybreaches where there is no individual complainant and where the respondentis not cooperative or where there is a need to respond quickly to systemicpoor privacy practices, for example in relation to tenancy databases. In thisrespect it would appear that the Office’s powers may be out of step with othersimilar regulators.

Other regulatory regimes

A number of similar regulatory regimes include more directive enforcementpowers. For example, under section 48 of the Information Privacy Act 2000(Vic), an organisation must comply with a compliance notice served on it.

Under Section 44(1) of the Information Privacy Act 2000 (Vic), the VictorianPrivacy Commissioner may serve a compliance notice on an organisation ifthe organisation has done an act or engaged in a practice in contravention ofan IPP or applicable code of practice and the act or practice:

constitutes a serious or flagrant contravention or

is of a kind that has been done or engaged in by the organisation on atleast 5 separate occasions within the previous 2 years.

Section 44(5) enables the Victorian Privacy Commissioner to act on his or herown initiative. It is an offence under section 48 not to comply with acompliance notice. Section 66(1) of the Health Records Act 2001 (Vic)enables the Health Services Commissioner to serve a compliance notice onan organisation in the same way as the Information Privacy Act 2000. Section66(5) enables the Health Services Commissioner to act on his or her initiative.Failure to comply with a compliance notice is an offence under section 71 ofthe Health Records Act 2001 (Vic).

Under the Trade Practices Act 1974, the Australian Competition andConsumer Commission (ACCC) has the power to accept court-enforceableundertakings[144]. It may use this power to resolve a possible contravention ofthe Act by deciding to accept formal administrative settlements orundertakings from businesses, including in addition to or in lieu of taking legalproceedings. The ACCC advises that it does not accept offers of suchundertakings unless the undertakings are to be made public and do notcontain denial of contravention of the Act. The ACCC may enforce suchundertakings in court if they are not honoured.

Under Section 155(2) of the Anti-Discrimination Act 1991 (Qld), theQueensland Commissioner may initiate an investigation if

(a) during the course of carrying out the commission's functions, apossible case of a contravention of the Act against a group or classof people is discovered, the matter is of public concern and theMinister agrees; or

(b) an allegation is made that an offence against the Act has beencommitted; or

(c) during the course of carrying out the commission's functions, apossible offence against the Act is discovered.

Under Subsection 155(4), if the Queensland Commissioner investigates undersubsection 155(2) and the matter cannot be resolved by conciliation, theQueensland Commissioner may refer the matter to the tribunal as if it were acomplaint. In such an instance, the Queensland Commissioner acts as if theywere the complainant (section 155(5)).

Power to audit private sector

Existing power

In general, the Commissioner does not have an audit power in relation to theprivate sector provisions[145]. The Commissioner can audit an organisation ifinvited by the organisation to do so, however, to date there have been noaudits under this function[146].

Benefits of audit power for private sector

Having a private sector audit power may increase community confidence inthe efficacy of the Privacy Act and give the Office an additional power toidentify systemic issues and to monitor responses.

However, if the Office were to have the power to audit the private sector, thiswould have resource implications. It currently carries out limited audits inthose areas in which it has the power. In addition, it could be argued that thisis a role that a number of private sector consultancy firms carry out, andshould not be one taken on by the Office.

A more appropriate role may be for the Office to provide information on thevalue of auditing to organisations as evidence of compliance in the event ofcomplaints. The Office could also develop and provide privacy audit trainingfor organisations. Another option could be for the Office to provide privacyaudit resources including auditors who have privacy expertise. In the lattercase the Office could consider whether some form of privacy auditoraccreditation would be useful or necessary.

Other power to address systemic problems incomplaints

Extend section 52 powers

The Privacy Act could be amended to extend the Commissioner’s powersunder section 52 to apply specific systemic remedies to individual andrepresentative complaints. This would enable the Commissioner to prescribea specific course of action to eliminate acts and practices in a systemic wayas part if its complaints system. This would be an efficient and effective wayof addressing systemic issues that it comes across in the course of handlingcomplaints. This is important as complaints are the main way that the Officebecomes aware of privacy practices.

Power to issue binding guidelines

The Privacy Act could be amended to give the Commissioner the power toissue binding guidelines. This could be a useful tool in contexts where theOffice becomes aware of systemic issues and wishes to issue general, butbinding guidance to ensure that all organisations comply with them. Thiscreates a more level playing field among organisations, and ensures thatconscientious organisations are not commercially disadvantaged.

Such guidelines could address aspects of the NPPs as they are applied inspecific contexts, for example, steps to be taken in a particular industry sectorto ensure personal information is accurate, complete and up to date. Theycould overcome uncertainty in application of NPPs in particular situations. Itwould also benefit consumers to have a more specific idea of their rights.

Binding guidelines would be developed following consultation with affectedstakeholders and may need to be disallowable instruments. TheCommissioner could also take into account any potential negative impact indeciding whether to issue binding guidelines. Factors to consider here couldinclude whether binding guidelines would add to the complexity of the privacyregime and whether this was warranted in the circumstances.

Power to issue binding codes

An alternative or addition to the options discussed above could be a powerunder the Act to be able to issue a binding code. Various options for this arediscussed in Chapter 2. This may be the best solution in a narrow range ofcases such as, for example, the operation of tenancy databases. While, ingeneral, it is preferable and appropriate that the organisations are able tomake their own judgments about the steps needed to comply with the NPPs, itmay not be the best outcome for some sectors.

The possible value in a mechanism such as a binding code can be illustratedby looking at issues that were considered in the four determinations made in2004[147]following representative complaints about a tenancy databaseoperator and in the general context for these complaints. The determinationsconsidered questions such as:

whether the charges for providing access were excessive – NPP 6.4

what steps are reasonable to ensure personal information is ‘accurate,complete and up-to-date’ – NPP 3

the nature and timing of notice to individuals that they may be listed with atenancy database and

the length of time a tenancy default listing could be retained on a tenancydatabase.

The Commissioner found breaches on a number of these issues and made anumber of recommendations to prevent the problem reoccurring in the future.However, the Commissioner stated, for example, in Determination No. 2 of2004 that:

‘The complainants have asked me to make a declaration requiringTICA to develop new forms to meet its obligations under NPP 1.5. Iam not satisfied that I should do so. While I have declared that TICAshould not repeat or continue conduct which constitutes an interferencewith the privacy of an individual, I do not, in my view, have the powerunder section 52(1)(b)(i)(B) to otherwise generally prescribe how TICAshould act.’

In practice, the impact of the Commissioner’s determinations on the tenancyindustry appears to have been limited. The Office continues to receivecomplaints from individuals; about tenancy database operators and that thesecomplaints raise many of the same issues that were dealt with in thedeterminations as well as new issues.

A number of database operators have called for the Commissioner to ‘rule’ ona number of aspects of the NPPs, including for example, the timeframe forkeeping listings and fees for access. The interest here seems to be inseeking certainty and to some extent a level playing field.

A binding code could set specific direction in relation to the accurate contentof listings (NPP 3) or time limits for removal of listings from a tenancydatabase (NPP 2.1 and NPP 4.2). It could also address matters such asappropriate mechanisms for dispute resolution.

Improve liaison with overlapping complaint handlers

The Office could liaise closely with these bodies to ensure that privacycomplaints are handled efficiently and to minimise confusion and costs forboth individuals and organisations. It could have a memorandum ofunderstanding to ensure that the most appropriate regulator is consideringeach complaint and to improve overall complaint-handling.

Care would be needed to ensure that any memorandum of understanding didnot limit individual’s rights under the Privacy Act. However, this is a matterthat could be addressed, for example, by agreement that bodies wouldprovide information about rights under the Privacy Act in their publications.That said, where individuals come to the Privacy Commissioner after theircomplaint has been considered by another body, the Office’s approachgenerally would be to take account of investigations by other bodies indeciding whether it should investigate a matter and has done so in a numberof cases.

The Office has had discussions with other bodies that handle privacy orprivacy related complaints, including the Telecommunications IndustryOmbudsman and the Banking and Financial Services Ombudsman. There isa common interest in ensuring that as far as possible a complaint is handledby the appropriate body. This avoids the complaint ‘merry-go-round’ and‘double-dipping’ (where consumers approach consecutive bodies seeking abetter outcome).

Advice about complaint rights

Many organisations already tell people in their privacy notices about how tocomplain to the organisation and also the Office. However, the NPPs do notcurrently require this.

This change could complement other measures to ensure individuals areaware of their rights and how to pursue them.

A partial model is found in paragraph 3.7 of the Credit Reporting Code ofConduct that requires credit reporting agencies to immediately informindividuals that they have recourse to the Privacy Commissioner, if the creditreporting agency establishes that it is unable to resolve the dispute.This could be a useful tool in the overall strategy to raise awareness andidentify and remedy systemic issues. It could be achieved by amending theNPPs or by the Office issuing an information sheet or other guidance.

Address delay in handling complaints

The issues paper highlighted that individuals who complain to the Officegenerally face a considerable delay (currently between 10 and 12 months)before the Office can handle their complaint. This is primarily due to thevolume of complaints the Office has received since the private sectorprovisions came into effect.

The Office has given priority to its complaint handling function so as tominimise delay in complaint investigations for complainants and respondents.It has diverted resources from other areas of responsibility including auditingof Commonwealth agencies, towards complaint handling on the rationale thatincreasing complaint backlogs had the potential to undermine the operation ofthe Privacy Act.

Submissions from all quarters express dissatisfaction with the length of time itcurrently takes the Office to handle complaints. It complicates businessrelationships and consumers want outcomes.

Review practices

The Office is keen to ensure that complaints are dealt with in a timely mannerand that the parties are not disadvantaged by any delay. To this end since2001 the Office has reviewed and modified its practices by employing anumber of strategies to deal with the complaint numbers. These include:

introducing a new complaints management system

implementing a more rigorous system to triage complaints received

improving workload management

more standardisation of correspondence

a system for referring certain queued complaints back to the respondentand

employing a web based tool that allows potential complainants to test if theCommissioner is likely to be able to investigate their complaint.

The following statistics give a brief overview of the extent of total complaintsand enquiries to the Commissioner[148].

2000-2001

2001-2002

2002-2003

2003-2004

2004-2005

Enquiries to Hotline

8177

21033

21290

20208

13541

Written Enquiries

884

2700

2382

2206

1301

Complaints under section 36

194

632

1090

1276

839

The Office is concerned the complaint resolution process is impaired ifcomplainants wait a long period before their matter is investigated. As timepasses the quality of evidence deteriorates. The Office is also concerned thatthe delay may allow poor privacy practices to continue unchecked and thatsystemic problems are undiscovered.

Further review complaints practices

The Office could consider further streamlining its processes but it would needto consider the extent to which it could do so without undermining principles ofnatural justice.

Cost recovery

The Office could consider charging respondents to handle complaints aboutthem. It could also consider charging complainants. However, the Officenotes that it is not aware that other complaints handlers apart from Courtscharge applicants to handle disputes.

Power to decline to investigate and other strategies

Other options for responding to the delay could include giving theCommissioner stronger powers to decline to investigate complaints wherethere appears to be little public interest (for example, where there is minimalapparent harm, or the matter has been considered before and theorganisation has changed practice).

As discussed above, the Office could give greater emphasis to complaints orinvestigation into systemic issues with a view to preventing future harm (andprivacy complaints). However, in the short term the latter strategy may meanthat the backlog of individual complaints gets larger.

5.7 Recommendations: Complaintshandling and compliance

Approach to compliance

37. The Office will maintain its current approach to compliance includingthe focus on attempting to conciliate complaints in the first instance asset out in Information Sheet 13. However, the Office will considerwhether it might be appropriate in some circumstances to use its otherpowers earlier, such as the determination making power.

38. The Office will consider options for providing more feedback onsystemic issues either in advice or guidance or in some form of regularupdate to stakeholders.

39. The Office will consider promoting privacy audits by private sectororganisations, including by providing information on the value ofauditing as evidence of compliance in the event of complaints and bydeveloping and providing privacy audit training for organisations.

Review rights for complaint decisions

40. The Australian Government should consider amending the Privacy Actto give complainants and respondents a right to have the merits ofcomplaints decisions made by the Privacy Commissioner reviewed.

Fair and transparent complaint processes and resolution

41. The Australian Government should consider amending NationalPrivacy Principle 1.3 to require organisations to tell individuals howthey can complain to the organisation; and that, if the complaint is notresolved, they can also complain to the Privacy Commissioner or(where relevant) the code adjudicator.

42. The Office will review its complaints handling processes and willconsider the circumstances in which it might be appropriate to makegreater use of the Commissioner’s power to make determinationsunder section 52 of the Privacy Act.

43. The Office will also consider measures to increase the transparency ofits complaints processes and complaint outcomes.

Additional powers

44. The Australian Government should consider amending the Privacy Actto:

expand the remedies available following a determination under section52 to include giving the Privacy Commissioner power to require arespondent to take steps to prevent future harm arising from systemicissues

provide for enforceable remedies following own motion investigationswhere the Commissioner finds a breach of the NPPs

provide a power for the development of binding codes and/or bindingguidelines in cases where there is a strong public interest, where moredetailed guidance is warranted or complaints reveal recurrent breaches(see recommendation 7).

Resourcing implications and complaint handling

45. The Australian Government should consider the strong calls by a widerange of stakeholders for the Office to be adequately resourced tomeet its complaint handling functions.

46. The Australian Government should consider amending the Privacy Actto give the Commissioner a further discretion not to investigatecomplaints where the harm to individuals is minimal and there is nopublic interest in pursuing the matter.

6 Balancing individual privacy interestswith business efficiency

6.1 Introduction

Law and policy

The private sector provisions of the Privacy Act introduced what the thenAttorney-General called a ‘light touch’ approach to privacy protection. Theyestablished a co-regulatory regime which was intended to be responsive toboth business and consumer needs[149]. This was to be achieved by usinghigh level principles rather than prescriptive rules and by encouragingorganisations and industries to develop their own privacy codes.

The legislation also included a number of exemptions, including an exemptionfor employee records, on the ground this was better dealt with underworkplace relations legislation, and an exemption for small business.

Issues

The issues paper considered the balance struck by the private sectorprovisions between individual privacy interests and business efficiency. Itdiscussed, among other things, the high level principles approach, the costsof compliance, the level of compliance, industry and organisation codes andthe small business exemption.

Striking the balance

Submissions are divided on the question of whether or not the private sectorprovisions strike the right balance between individual privacy and businessefficiency. Electronic Frontiers Australia (51) and Xamax Consultancy Pty Ltd(3) suggest that the existing provisions are so inadequate that a new Act thatmakes a genuine attempt to protect individuals’ privacy is the only solution.

On the specific issue of balance, the Communications Law Centre (72) saysthere is an overwhelming imbalance between the competing interests oforganisations and individuals, where organisations’ interests such as businessefficiency clearly outweigh the privacy rights of individuals.

On the other hand, submissions from business are more likely to support theexisting regime. Promina Group (34), an insurance and financial servicescorporation, for example, supports the regime and the approach taken by thePrivacy Commissioner and says that this approach creates the right balancebetween commercial or business interests and the protection of an individual’sprivacy rights.

Similarly, Telstra Australia Ltd (110) states that the Act contains an effectivebalance between rights of the individual. In its view, this balance could beenhanced by the Office lifting its profile and providing more information aboutprivacy issues to the community.

Principles or rules

Submissions generally support principles based approach

The submissions that address the issue generally support the principlesbased approach of the private sector provisions. It is the approach that bestallows Australian businesses to adopt practices that are tailored to individualbusinesses while providing consumers with an assured level of protection[150].

It allows each business the opportunity to identify its own business practicesand to apply the principles to them[151]. It provides adequate levels of privacyprotection without imposing unnecessary compliance costs on business[152].

High level non-prescriptive principles, adequately supported by guidelines andinformation sheets are the most appropriate way to meet the needs ofindividuals and businesses. A more prescriptive approach would increasecompliance costs without necessarily delivering an improvement to theprotection of individuals’ privacy[153]. The dangers of a more prescriptivesystem are that the system may be inefficient and/or unworkable in the manybusiness circumstances in which it would apply and, needing ongoingamendment to keep up with technological change, would add to the confusionand compliance costs faced by business[154].

Some submissions offer qualified support of the principles. The AustralianChamber of Commerce and Industry (22), for example, agrees with theapproach but says that the NPPs themselves are reasonably prescriptive, andthat their content and the obligations they impose are onerous.

Principles may need some illumination

A few submissions want more than high level principles. They are concernedwith what else is in place to illuminate the principles, or to support theiroperation in practice.

The Tenants’ Union of Queensland (69), for example, believes that morespecific regulation of tenancy databases is required[155].

The members of a charitable organisation, St Vincent de Paul (117),experience a lack of certainty and need practical guidance on what ispermitted and what is not.

6.2 Approved Privacy Codes

Law and policy

Codes, both industry and organisation, were intended to be a key feature ofthe privacy regime established by the private sector provisions. The aim ofthe legislation was, in the words of the then Attorney-General:

The Privacy Commissioner may approve a code if, and only if theCommissioner is satisfied of specific matters listed in the Privacy Act. Indeciding whether to approve a privacy code, the Commissioner may considermatters specified in guidelines issued by the Commissioner, if any[157].Among the matters the Commissioner must be satisfied of is the requirementthat the code incorporates all the NPPs or set out obligations that, ‘overall areat least the equivalent’ of all the NPPs[158].

The Guidelines to the National Privacy Principles, developed by the Office,say that a code has to be reviewed every three years.

Codes are now legislative instruments under the Legislative Instruments Act2003. They are not disallowable by the Parliament. As a legislativeinstrument, the decision to approve a code is not reviewable under theAdministrative Decisions (Judicial Review) Act 1977. The decision not toapprove one may be reviewable.

Issues

The issues paper noted that, despite the expectations at the time thelegislation was passed, there have been very few applications for codeapproval. Only three codes have been approved, and three more are in thepipeline[159]. The issues paper listed possible reasons for the apparent lack ofinterest in developing codes and reasons why an industry or organisationmight want to develop one. It also noted perceived inadequacies in theapproval process. These include a lack of transparency and the failure of thePrivacy Commissioner to publish reasons for approving a code. It suggesteda number of possible topics for submission, including:

the value of codes

why there have been so few applications

the effectiveness of the code approval process and

ways of overcoming problems related to codes.

What submissions say - issues

Overview

Submissions from the three industry groups that have a code throw some lighton the code development and approval process. Submissions from otherindustry groups and organisations, which generally support codes, considerthe reasons why there are so few of them. Finally, two submissions fromconsumer groups consider them from the point of view of consumers.

Insurance Council of Australia

The Insurance Council of Australia (59) supports co-regulation throughindustry codes because it provides a desirable level of flexibility for business.It looks forward to undertaking its three yearly review of its code in 2005.However, it found the code approval process complex and highly prescriptive.This made it an expensive process, involving costs such as staff time,external legal costs for drafting, extensive consultation with industry, costs ofreviewing versions of the Code, implementing compliance systems specific tothe Code and, if applicable, fees to an independent code adjudicator.

Clubs Queensland

Clubs Queensland (96) sees its code as an important service to its members.It noted, however, that the code development process was, however,extremely complex and costly because of the generic nature of the CodeDevelopment Guidelines issued by the Office. These required ClubsQueensland to consult not only members of clubs but the public generally. Itfears that the review of its code will require a substantial administrative andfinancial commitment because of the complexity of the process and, if the costis prohibitive, may tell its members to revert to the NPPs.

Association of Market Research Organisations and theAustralian Market and Social Research Society

The Association of Market Research Organisations and the Australian Marketand Social Research Society (61) state that most major researchorganisations operate within the framework of the approved industry code. Itbelieves that, on the whole, the Privacy Act works well, providing researchparticipants with appropriate privacy safeguards and helping the industry todifferentiate itself from industries with less stringent protection practices.

Reasons why there are few codes

Business perspective

Most submissions from business support codes in principle. The Real EstateInstitute of Australia (13), however, is ambivalent. It expresses concern aboutthe multiplicity of government bodies seeking to use codes to regulatebusiness, thereby shifting a heavy cost burden from government to industry.On the other hand, it believes there are benefits in industry playing a role indeveloping a code of conduct.

Other submissions from business suggest a variety of reasons why there areonly three codes. The Australian Chamber of Commerce and Industry (22)states that the benefits to consumers of an organisation adopting a code,which it sees as a higher standard, do not outweigh the costs to theorganisation. In any case, the NPPs are adequate and codes take some timeto develop. Coles Myer (60) believes there are few codes because the NPPswork.

A number of submissions focus on the cost and complexity of developing acode. The Australian Direct Marketing Association (67) gives three reasons:

the approval process is more complex than had been anticipated

the requirement that codes embody a higher standard than the legislationdiscouraged organisations from developing and submitting codes and

advice from law firms favoured the ‘default option’ as less expensive andmore resource efficient.

Several submissions say there is little point in developing a code. PrivacyLaw Consulting Australia (66) sees little benefit in developing and maintaininga code for the majority of organisations and industries. The Royal DistrictNursing Service (78) agrees, stating that:

‘It is of little or no benefit for an organisation to seek to prepare at itsown significant cost and impose on itself a Code that must be of astandard of no less than that imposed under the current legislation.’

In the view of Telstra Corporation Ltd (110), codes will generally only beattractive to industries with specific requirements.

Consumer perspective

The Australian Privacy Foundation (90), whose submission is endorsed by theConsumers’ Federation of Australia (65), is not surprised there has beenrelatively little take up of the codes option by the private sector. In its view,there is little advantage to businesses in developing or adopting a code. Thedevelopment and approval process is long and onerous and the inclusion of acomplaints handling process effectively privatises costs that would otherwisebe borne by government. It is concerned that a proliferation of codes wouldfurther confuse the public and detract from privacy awareness building.

The Australian Consumers’ Association (ACA) (15) is also ‘not unhappy with’the lack of enthusiasm of business for developing and adopting codes havingfeared that a proliferation of poorly co-ordinated codes could fragment theregulatory landscape to an unacceptable degree. In its view, it would be farbetter to address the needs of the Office than to create a hothouseatmosphere to artificially encourage industry codes. The ACA also addressesthe potential brand argument of codes. It does not see the role of regulationand regulatory processes to confer competitive advantage.

What submissions say – addressing the issues

Although codes have not proved as popular as might have been expectedbefore the implementation of the private sector provisions, submissions showthere is support for the concept. Certainly no-one suggests they should beabolished.

Most submissions that make recommendations focus on simplifying theprocess. The Insurance Council of Australia (59), for example, recommendsthat the capacity for co-regulation provided by codes should be retained; theapproval process, however, should be made less complex and prescriptive.Australian Direct Marketing Association (67) agrees that there is a continuedrole for codes in the privacy scheme and that the approval process should besimplified. Clubs Queensland (96) recommends that the requirements inrelation to the operation and review of a privacy code be simplified.

Telstra (110) recommends, among other things, that the development ofcodes would be encouraged if the Privacy Act were amended to give theCommissioner a discretion to approve codes with privacy protections notequivalent to those under the NPPs where it was in the public interest to doso.

There was some support for the proposition that the Office should have thepower to initiate the development of a code. The Australian PrivacyFoundation (APF) (90) says that the Privacy Commissioner should be able toinitiate a code. The Australian Bankers’ Association (70), on the other hand,specifically rejects this. The Investment and Financial Services AssociationLtd (89) agrees, saying that it should rest with individual companies or therespective industry body[160].

The APF also makes a number of other suggestions:

codes should be disallowable instruments

the Privacy Commissioner should be required to make public a codeproponent’s submission dealing with its public consultation process

the courts should be deemed to have notice of codes in the register keptby the Privacy Commissioner

the Privacy Commissioner should be able to review any decision of a codeadjudicator.

Options for reform

Repeal code provisions

Since the implementation of the private sector provisions, there has been veryfew applications for approval of an industry or organisation code. Thissuggests that it may be appropriate to repeal the code provisions. On theother hand, as the value consumers place on their privacy increases and asindustry bodies and organisations become more familiar with the notion ofprivacy, codes may come into their own.

Simplify the approval and review process

The legislation gives the Privacy Commissioner the power to approve a code.The processes for developing, approving and reviewing codes are in OfficeGuidelines. The Office has now had the experience of three years of theoperation of the private sector provisions and is in a favourable position toreview the Guidelines with a view to simplifying the processes withoutreducing code standards. Ensuring a code meets the equivalence test can betime consuming and costly both for the code proponent and the Office.

Modify equivalence requirement

The law could be amended to allow an industry or organisation, in developingits code, to provide for a lower level of protection in one area and maintain‘equivalence’ by providing for a higher standard in another. This would givemore flexibility in developing a code that met the needs of the industry ororganisation while at the same time protecting the interests of consumers. Onthe other hand, it would make the Office’s oversight role more difficult andmay be confusing for consumers. It could also add to the problems arisingout of national consistency and undermine the technological neutrality of theNPPs.

Commissioner could give reasons for approving a code

The Privacy Commissioner’s discretion to approve a code is circumscribed bythe legislation. There is a broad discretion, however, not to approve one. Thelegislation does not impose on the Privacy Commissioner an obligation to givereasons for a decision to approve a code, or not to approve, although theGuidelines state that the Commissioner will give reasons for deciding not to.Improved accountability and transparency may require reconsideration of theissue. On the other hand, the scope of the Privacy Commissioner’s discretionis limited, and giving reasons for approval may well have resourceimplications for the Office.

6.3 Recommendation: Approved PrivacyCodes

47. The Office will review the Code Development Guidelines dealing withthe processes relating to code approval with a view to simplifying them.

6.4 Compliance costs

Law and policy

Compliance with the legislation involves a cost burden on organisations.There was the cost of implementing the legislation in the first place, includingdeveloping and reordering systems, developing policies and procedures andtraining staff. There are also ongoing costs. These include the costs ofcontinuous training and the costs of complying with obligations, for example,informing individuals from whom personal information has been collected,seeking consent for use and disclosure of the information for secondarypurposes and providing individuals access to their personal information.

Issues paper

whether the benefits of having a privacy law outweigh the costs tobusiness and

ways of reducing any unreasonable costs imposed.

What submissions say

Costs are important

Not surprisingly, most submissions on the issue of costs come from business.The Australian Chamber of Commerce and Industry (22) says compliancecosts are critically important to the business community and should be ofconcern to everyone because they are ultimately borne by the broadercommunity. It goes on to say that there has been no significant research onthe costs involved in complying with the private sector provisions and, as aresult, policy formulation is done in a vacuum. It suggests that an in depthstudy should be commissioned.

The Investment and Financial Services Association Ltd (89) says that itsmembers report significant disruption and cost with the originalimplementation but relatively small ongoing compliance costs.

The Australian Consumers’ Association (15) has little sympathy for complaintsabout compliance costs. It goes on to say that it is difficult to conjure a visionof a more bare-bones privacy framework:

‘There is no required reporting and no mandatory recording. The[Office] has scant investigative powers and none of audit in the privatesector . . . [The Act] sets out little more than reasonably sensible datamanagement practice. The [Office] has no power to seek anythingother than restitution and so has little capacity to impose direct cost onindustry.’

Actual costs

Some submissions outline the steps taken by organisations to comply with theprivate sector provisions initially and on an ongoing basis, and the costsinvolved in compliance. The Insurance Council of Australia (59) lists the initialcompliance steps:

developing roles for staff allocated to privacy and the developing theposition of privacy officer

developing procedures for handling complaints and

developing procedures for handling requests for access.

The most costly aspect of implementation was the systems changes,estimated to cost $10-15 million for its members.

The steps involved in continuous compliance are:

annual printing of privacy policies

privacy disclosure in telephone sales (that is, the extra time spent on thetelephone)

training new staff and refreshing existing staff

continuous improvement of systems

continuous employee costs of staff allocated to dealing with privacy

handling complaints and

handling access requests.

Costs include $1-2 million per annum for telephone sales, $300 000 to $500000 per annum for staff training and between $5 000 and $50 000 for thehandling of each dispute, depending on the complexity of the dispute.

One member of the Investment and Financial Services Association Ltd (ISFA)(89) spent $430 000 on initial implementation and spends $50 000 per annumon ongoing compliance costs. The company has had eight privacy complaintsin the last 3 years. Another member of ISFA (89) spent $2.248 million oninitial implementation costs.

At Coles Myer Ltd (60), more than 80 people were directly involved in theimplementation program across the Coles Myer group. Coles Myer says aconservative estimate of costs in the lead up to the commencement of theprovisions would be more than $300 000 in resource costs and systemsdevelopment.

For the Suncorp Group (35), the set up and implementation cost wasapproximately $1.2 million.

Commerce Queensland (83) reports that for the National (National AustraliaBank and MLC) the changes which, over a three year period cost about $28million, included

training

development and publication of notifications

numerous consultants

external legal advice

establishment of project team

technology changes and

establishment of the Australian Privacy Office (3 permanent full time staff).

State and territory legislation increases costs

A number of submissions focus on the additional compliance costs borne bynational organisations that are subject to new and inconsistent state andterritory health legislation.

The Australian Compliance Institute (16) and a confidential submission bothsay that the introduction of legislation by the states and territories hasincreased the compliance burden on business. As each state or territoryintroduces new legislation there is a new round of costs for businesses.

In the view of the Investment and Financial Services Association Ltd (89),State and Territory health records legislation with its inconsistencies results inincreased compliance costs for its member organisations. The ANZ (40) saysdiffering state and territory (workplace surveillance) laws add to compliancecosts and complexity.

Costs and benefits

Most submissions from business focus on the costs of compliance rather thanthe benefits; some, however, acknowledge that there are benefits. Aconfidential submission says that the benefits are not commercial, butintangible, for example, increased standing with customers who becomeconfident that the business will deal ethically with their personal information.In a similar vein, Fundraising Institute Australia Ltd (52), states that thebenefits, community confidence and trust in the industry, outweigh the costs.Telstra (110) agrees:

‘The significant financial cost to Telstra in taking steps to comply withthe Privacy Act has been offset by the value to Telstra of the improvedsystems and processes and from a brand perspective.’

Coles Myer Ltd (60) says that the costs outweigh the benefits to customers,while acknowledging that a simple cost benefits analysis fails to recognise thevalue of brand equity or public reputation, in which major companies investheavily.

Change will involve more costs

A number of submissions note that even minor changes at this stage wouldinvolve significant costs. A confidential submission says that there is notjustification for increasing the cost of compliance for business in this area.Virgin Mobile (Australia) Pty Ltd (26) wants the costs of changes to beweighed up against any perceived benefits. For Optus (98), it is importantthat the privacy regime is not changed lightly. Even seemingly minor changescan result in significant additional compliance costs for industry. Finally,Telstra (110) says that any significant changes to the NPPs are likely toincrease the cost of compliance and that any changes resulting from thereview should be kept to a minimum. Rather, the focus of the review shouldbe on improving the operation of the existing regime.

6.5 Business awareness

Issues

The issues paper acknowledged that high level principles are less amenableto specific direction than a more prescriptive, rule based regime would havebeen. It noted that the Office has not made many determinations and thatthere had been few judicial decisions about the private sector provisions. Itidentified the Office’s role in promoting awareness as an issue to beconsidered. It suggested, among other things, as possible topics forsubmissions:

evidence about current levels of awareness

strategies for increasing awareness and

effectiveness or otherwise of the information prepared by the Office.

What submissions say

Overview

Most submissions that address the issue report a relatively high level ofawareness of the private sector provisions and of compliance with them.Nevertheless, a number of submissions suggest ways of improvingawareness and compliance. Some submissions identify particular contexts inwhich problems are caused by a misunderstanding of the provisions on thepart of business.

Industry generally familiar with provisions

In the experience of Privacy Law Consulting Australia (66) there is a high levelof compliance among large organisations as they have allocated resourcesand implemented policies, procedures and systems to ensure they meetrequirements under the Act. There is a significantly lower level of compliance,however, among mid to small size organisations that are covered by the Act.Reasons for this include lack of awareness.

The Credit Union Services Corporation (64) is of the view that industrygenerally has become familiar with the NPPs and has developed relevantpolicies. Optus (98) states that Australian industry is committed to addressingprivacy issues positively.

On the other hand, the Victorian Automobile Chamber of Commerce (113)found, in a survey of its members in 2002, that knowledge and understandingof information privacy laws was not as thorough as it would have liked. Therewas confusion as to which law (Commonwealth or State) applied to thebusiness and whether privacy laws conflicted with other obligations, forexample, occupational health and safety obligations.

Some problem areas

Bankruptcy

Submissions identify particular areas where a lack of knowledge of theprovisions or a misunderstanding of the obligations they impose give rise toproblems. The Insolvency and Trustee Service Australia (25) says that areview of Part X of the Bankruptcy Act conducted in 2003 revealed asubstantial level of misunderstanding about privacy obligations.

Some creditors suggested that the Privacy Act prevented them from givinginformation to the Trustee in Bankruptcy even though it might assist theTrustee’s administration of the estate. It recommends that more should bedone to educate the private sector about appropriately using and disclosingpersonal information. In addition, public confidence in the personal insolvencysystem should be recognised as an important social interest to be balancedagainst an individual right to privacy.

Medical research

The National Health and Medical Research Council (32) also identifiesmisunderstanding of the provisions, rather than the provisions themselves, asa cause of confusion in the complex regulatory framework of medicalresearch. It suggests that the Office should design and implement astructured education and communication campaign with the objective ofimproving stakeholder understanding.

Dealing with people with a disability

The experience of the Australian Guardianship and Administration Committee(114) is that there is significant room for improvement in how serviceproviders interpret and apply privacy legislation, especially in relation topeople with a disability and their families. It believes that frontline staffimplement inflexible policies as to how the provisions should be interpretedand applied and that this gives rise to nonsensical and frustrating situationswhere common sense solutions should apply. The committee recommendsthat the Office should divert a significantly greater resource commitment toeducation and training and that it should publish an information sheet or goodpractice guide that emphasises the need for a common sense approach,particularly in situations that involve relatively minor issues.

Other

The Police Association (Victoria) (116) states that organisations are not fullyconversant with the exemptions to the Act, in particular the law enforcementexemption[161].

How the Office could assist business

Some submissions suggest ways the Office could assist business incomplying with its obligations. The Australian Direct Market Association (67),for example, suggests that the Office should review its communicationsstrategies, particularly with key stakeholder organisations. Business wouldlike to see, it says, effective and comprehensive reporting of rulings completewith the reasoning behind decisions[162].

larger organisations at least to nominate a designated privacy contactofficer for contact by the regulator and to publicise contact details and

larger or significant organisations to have to conduct and report onperiodic audits.

Options for reform

Office should conduct a community awareness campaignabout business obligations

There is no doubt that there is a degree of misunderstanding and confusionabout the private sector provisions among some business sectors, especiallysmall business. It is not only businesses that are covered by the Privacy Act,but businesses that are not, that are uncertain of their obligations. Manybusinesses including those who are not covered by the Privacy Act, err on theside of caution in not disclosing personal information in circumstances whereit is appropriate that is should be, for example, the amount owing on a utilitybill to a carer who wants to pay the bill. The Office could address this gap inawareness.

Review Office information sheets

The Office has published a series of information sheets on a range of topicsincluding codes, privacy obligations for Australian Government contractorsand the application of the NPPs to due diligence and completion when buyingand selling a business. The consultation process has identified ways in whichsome of them could be made more useful. There could be a thorough reviewof the Office’s information sheets with a view to amending them.

Review strategies for communication with stakeholders

The Commissioner takes advice from the Privacy Advisory Committee[163].The Commissioner also invites people to participate in ad hoc consultativebodies for particular purposes. There is, for example, a reference group forthis review. There are, however, other measures the Office could take toensure it communicates effectively with stakeholders. One such measurecould be to establish a privacy contact officer network for the private sectoralong the lines of the privacy contact officer network in the public sector.

Impose obligations on organisations to keep records andreport

One way to ensure that organisations continue to fulfil their obligations underthe NPPs is to impose obligations on them to appoint a contact officer forcontact by the Office, to keep records and to report on their compliance. Thiscould ensure more effective oversight of organisations by the Office. On theother hand, it is not consistent with the principles based approach of theprivate sector provisions.

6.6 Recommendations: Business awareness

48. The Australian Government should consider the benefits of greaterbusiness and community awareness of privacy and specifically fundthe Office to undertake a systematic and comprehensive educationprogram to raise business awareness.

50. The Office will develop strategies for communication with stakeholders,including establishing a privacy contact officer network for privatesector organisations.

6.7 Small business exemption

Law and policy

Current law

Generally speaking, a ‘small business operator’, that is, a business that hasan annual turnover of $3 million or less is exempt from the operation of theprivate sector provisions. Some small businesses, however, must complywith the provisions. They are small business that:

are related to a business that has an annual turnover of more than $3million

provide health services to people and hold health information about them

trade in personal information, for example, by buying or selling names andaddresses for inclusion on a database, unless it does so with the person’sconsent or

are contracted to provide services to the Australian Government.

In addition, a small business may voluntarily opt-in to be covered by theprovisions. Currently 130 small businesses have opted in to coverage.

Finally, the Government may prescribe small business operators, or acts orpractices of small business operators, bringing them within the operation ofthe Act. To date this provision has not been used.

Rationale for the exemption

There are two main reasons for the small business exemption. First, manysmall businesses do not have significant holdings of personal information.They may have customer records used for their own business purposes;however, they do not sell or otherwise deal with customer information in a waythat poses a high risk to the privacy interests of those customers[164].

Secondly, it is necessary to balance privacy protection against the need toavoid unnecessary cost on small business[165].

Issues

The issues paper considered the operation of the small business exemptionand suggested possible topics for submissions:

whether the exemption reduces the compliance burden on small business

whether the benefits of the exemption outweigh the disadvantages forbusiness and for individual

whether the provisions are clear about to whom the exemptions applies

whether the $3 million or less threshold is still appropriate and

any other issues raised by the exemption and ways of overcoming them.

What submissions say

Overview

Submissions are roughly evenly divided between retention of the smallbusiness exemption and repeal. Submissions favouring retention generallycome from businesses and business organisations. Submissions favouringrepeal come from consumer groups and also from some businesses and acharity organisation. Some submissions that favour retention suggest that thedefinition should be changed.

Repeal the exemption

A number of submissions that favour repealing the exemption focus on thepotential for confusing consumers. The Australian Consumers’ Association(15) says it raises serious practical difficulties for consumers who do notusually know what the annual turnover of a business is and therefore if theycan make a complaint or not. Electronic Frontiers (51) notes that individualsare rarely in a position to know whether or not the business they are dealingwith is a small business for the purposes of the Privacy Act since annualturnover is not usually published. As the Australian Privacy Foundation (90)says, there is no easy way for consumers to know the turnover of a businessand therefore whether or not it is subject to the Privacy Act.

Fundraising Institute Australia Ltd (52) notes that not only is the exemptionconfusing it has the potential to undermine public confidence about theprotection of personal information. The Australian Direct MarketingAssociation (67) opposes exemptions that cause confusion in the minds ofconsumers and undermine confidence in the effectiveness of privacyprotection.

Some submissions claim that some of the most privacy intrusive activities areperformed by small businesses, even sole traders, including privatedetectives, debt collectors, internet service providers and dating agencies.[166]They also claim some, for example internet service providers, may holdsignificant personal information, including sensitive information[167].

Fundraising Institute Australia Ltd (52) says the costs argument is not enoughto justify retention; and, in any case, says the Australian Consumers’Association (15), the cost burden of compliance is not significant.

At the very least, in the view of the Australian Privacy Foundation (APF) (90),the core requirements should apply to all businesses, large and small:

‘The core requirements of the NPPs - being open about the use ofpersonal information, handling it in accordance with reasonableexpectations, and keeping it secure, should apply to all organisations. Itwould however be reasonable to exempt many smaller businessesfrom any formal requirements to take particular actions, in advance ofenquiries’.

In the APF’s view, small businesses that collect and handle personalinformation for a purpose that is or should be obvious should not have to givespecific notices under NPPs 1.3 and 1.5. They should, however, be requiredto answer enquiries (NPP 5) and give access and make corrections onrequest (NPP6). They should be able to be held accountable after the eventfor their collection and use of personal information and for any data quality orsecurity breaches.

Finally, the exemption costs the members of at least one industryorganisation. The Australian Collectors Association, Institute of MercantileAgents, Australian Institute of Credit Management (115) say that debtcollectors who are contractually bound by their clients not to outsource to noncompliantcompanies must send city based staff to service regional areas. Intheir view, this forces up their costs to unreasonably high levels.

Retain the exemption

Most submissions that favour retaining the exemption do so on the basis ofthe costs arguments, that is, that the costs of compliance would be too greatfor small business to bear.

Regulatory ‘red tape’ and compliance costs have a major detrimental effect onthe viability of small businesses in Australia, according to the Real EstateInstitute of Australia (13). The Victorian Automobile Chamber of Commerce(113) says that small businesses would be greatly disadvantaged if they hadto comply with the private sector provisions as their competitiveness andprofitability would be reduced. The Housing Industry Association Ltd (106)says that removing or diluting the exemption would impose unnecessarysignificant costs on small businesses in the housing sector, including the morethan 350 000 independent contractors that work in the residential buildingsector.

Certainly there should be no change in the absence of a substantial body ofevidence suggesting there is a problem, in the view of the Chamber ofCommerce and Industry of WA (Inc) (77).

The Australian Chamber of Commerce and Industry (22) estimates that thereare about one million businesses in Australia currently exempt and that thebare minimum costs of their establishing a simple privacy regime wouldamount to a total of $2.4 billion, or about 0.3 per cent of gross domesticproduct.

Change the definition of small business

Some submissions suggest changing the definition of small business for thepurpose of the exemption. The Australian Information Industry Association(43) suggests changing it to that used by all governments to describe smalland medium enterprises. The Association of Market Research Organisationsand the Australian Market and Social Research Society (61) notes that thecurrent definition is at odds with that used by the Australian Bureau ofStatistics and the Australian Taxation Office.

A number of submissions favour retaining turnover as the basis of thedefinition but say it should be increased to $5 million[168].

Other submissions consider focussing on the level of risk. TheCommunications Law Centre (72) suggests including within the operation ofthe Act industries that pose a particular risk. It identifies the internet/ecommerceas one where small internet businesses are able through the useof privacy invasive technologies to collect efficiently and easily a large amountof personal information about many individuals.

The Consumer Credit Legal Centre (NSW) Inc (62) and the Consumers’Federation of Australia (65) nominate telecommunications and finance asindustries once dominated by large companies but now including many smallbusinesses.

In the view of Electronic Frontiers Australia Inc (51), at the very least, all smallbusinesses involved in the telecommunications and internet services sectormust be required to comply with the NPPs. It says there are two reasons forthis. First, the limited privacy protection provisions of the TelecommunicationsAct do not cover the collection of personal information at all. Secondly,individuals have less control and rights in relation to the collection, use anddisclosure of their personal information by small businesses in thetelecommunications sector than they did before December 2001 when theACIF industry code, containing substantially the same provisions as the NPPsand enforceable by the Australian Communications Authority, wasderegistered by the Authority. That code did not contain a small businessexemption.

Other issues

Some submissions raise other issues relating to the small businessexemption. The Consumer Credit Legal Centre (NSW) Inc (62) points out thata debtor who borrows money from a large financial institution that is coveredby the private sector provisions may find himself or herself dealing with a debtcollector who, being a small business, is not. The privacy protection he or shemay have expected when entering the loan may no longer exist.

Privacy Law Consulting Australia (66) fears that it is possible that smallbusinesses that are not bound by the Act may give the impression that theyare by having a privacy statement, perhaps on their website, to the effect that:‘We comply with the Privacy Act’. To avoid confusion, it may be desirable torequire the business to state that is not bound by the Act, but that it choosesto do so.

In the view of Telstra Australia Ltd (110), which ensures compliance on thepart of its small business contractors by contract, the voluntary opt-in for smallbusiness should be better promoted.

Options for reform

Retain the exemption as is

The main argument in favour of retaining the exemption is that the cost ofcompliance for small business would be too great if the exemption wereabolished. It could also be argued that any change is likely to result inincreased compliance costs. There does not appear to be evidence of largescale misuse of personal information by small businesses as a whole suchthat would warrant the removal of the exemption.

Abolish the exemption

The main reasons for abolishing the exemption are its capacity to confuseconsumers and the fact that it does not differentiate adequately betweenthose businesses that hold significant personal information and those that donot. On the other hand, as many small businesses do not hold much personalinformation it would in fact make little difference to them. Nevertheless, smallbusiness may find the costs of implementation and the additional red tapeunduly burdensome. Finally, the exemption is a barrier to EU adequacy.

Retain the exemption and change the threshold

There is no apparent reason why the threshold should be a turnover of $3million. Similarly, there are no compelling policy reasons why it should beincreased or decreased. The turnover criterion has been criticised as beingmeaningless for consumers and as an irrational indicator of size. It is notcommonly used as a way to define small business.

Retain the exemption and change the definition

A business’s annual turnover is not generally known. The Australian Bureauof Statistics (ABS) defines small business (excluding agricultural businesses)as businesses with less than 20 employees. Although arbitrary, a definition ofsmall business in terms of the number of employees rather than annualturnover may be more easily understood by consumers and other interestedparties. If the definition is expressed in terms not of the particular number ofemployees but the definitions used by the ABS, from time to time, the need toamend the Act each time the ABS definition is changed is avoided.

Impose core requirements of NPPs on small businesses

A small business holding very little personal information is able to use ordisclose it in a way that causes significant damage to an individual. Theexemption could be modified to impose the core requirements of the NPPs onall businesses and to exempt them from others. They would be accountablefor their actions only in the event of a complaint. This would add to thecompliance burden of small businesses, but it would not be as onerous as ifthe exemption were to be removed completely.

Retain the exemption and include high risk sectors within theoperation of the Act

It is sensible and consistent with the policy underlying the Act to include withinthe operation of the private sector provisions small businesses that belong tohigh risk sectors in that they handle a lot of personal information, includingsensitive information, and give rise to a lot of complaints. To date, theevidence suggests telecommunication service providers and tenancydatabases are such sectors.

There are two means by which small businesses that are in a high risk sectorcould be included: by amending section 6D (4), or by the Attorney-Generalusing the power to prescribe the sectors under section 6E.

The use of the power to prescribe by regulation avoids amending the Act andsets a precedent for the inclusion of other sectors that may become high risk.The power has always existed. It has not yet been used but it was envisagedthat the Attorney-General would use it in appropriate circumstances to bringinto coverage under the Act industries and organisations that collect and usea lot of personal information.

Remove the consent provision

Small businesses that trade in personal information are not exempt from theoperation of the Privacy Act. If, however, the individual consents to thecollection or disclosure of the personal information then the business remainsa small business and is exempt[169]. This is clumsy and complicated. There isa considerable lack of certainty for small businesses who trade in personalinformation because it is not clear whether only a single failure to gainconsent would change the status of the organisation. The provision could beremoved.

6.8 Recommendations: Small businessexemption

51. The Australian Government should consider retaining but modifying thesmall business exemption by amending the Privacy Act so that thedefinition of small business is to be expressed in terms of the ABSdefinition, currently 20 employees or fewer, rather than annualturnover.

52. The Attorney-General should consider using the power to prescribeunder section 6(E) of the Privacy Act, the tenancy databases andtelecommunications sectors including Internet Service Providers andPublic Number Directory Producers as businesses to be covered bythe Act. (See recommendations 9 and 15.)

53. The Australian Government should consider amending the Privacy Actto remove the consent provisions (sections 6D(7) and 6D(8)).

6.9 Private sector contracting

Law and policy

Many organisations outsource some of their functions or activities. Some ofthese may involve handling personal information, including sensitiveinformation, collected by the organisation. It might, for example, include healthinformation. There is no clear obligation in the NPPs (unlike the IPPs) thatwould require the organisation to ensure that the contractor uses the personalinformation only for the purposes for which it is given and to keep it secure.

The contractor may not itself be bound, for example, if it is a small business. Itmay not be clear to consumers that they are dealing with a contractorbecause organisations often prefer the contractor to identify itself under theorganisation’s corporate name. The Privacy Act does not make any specificprovision for a contractor to be regarded as acting as an agent for theorganisation it is providing services for. It is generally regarded as a separateentity. This means the contractor collects personal information from theorganisation, which discloses it to the contractor.

Issues

The issues paper noted that as the Privacy Act does not provide for theexistence of an agency relationship between an organisation and a contractor,the contractor needs the consent of each individual to collect sensitiveinformation, for example, health information, from the organisation. Similarly,a contractor that is collecting information for an organisation to whom it hascontracted its services may need to identify itself under NPP 1.3 as being aseparate organisation, and may need to get the consent of the individual fromwhom it collecting sensitive information to disclose the information to theorganisation on whose behalf it is collecting it. The issues paper suggestedpossible topics for submissions:

adequacy of the private sector provisions in protecting individual privacywhere organisations contract out their functions or activities

impact of the provisions on businesses when they contract out functions oractivities that involve handling personal information, particularly sensitiveinformation and

ways that issues that arise might be resolved.

What submissions say

Existing regime is working

Some submissions say that the existing regime is working and that noamendment is needed. Telstra Corporation Ltd (110), for example, says thatany uncertainty has been addressed through guidelines and informationsheets. Vodafone Australia Ltd (112) says that potential problems are dealtwith by using contracts to bind service providers to comply with privacy law. Itdoes not want this way of ensuring privacy obligations are complied withrestricted in any way.

Distinction between data controllers and data processors

A number of submissions outline the ways they use contractors. TheAustralian Direct Marketing Association (ADMA) (67) says, for example, that itis extremely common place in nearly all industry sectors for organisations toengage a third party service provider or outsource agency to conduct abusiness operation on its behalf. It is also commonplace for a third partycontractor or outsource agency to require access to an organisation’scustomer records and other personal information in order to perform suchoperations. The outsourced activities may include:

In ADMA’s view, it is unduly onerous to impose the collection and disclosurerequirements on both the organisation and the service provider. It is alsounnecessary because one is merely performing an operation or processingdata on behalf of the other. They should not continue to be regarded as twoseparate entities for the purposes of the NPPs. Instead, the European Unionapproach, which recognises the distinction between an organisation, a ‘datacontroller’, and a third party service provider, a data processor, should beadopted.

This distinction is made by a number of submissions, including the LawCouncil of Australia (36) and the Australian Information Industry Association(43). A confidential submission notes that there is confusion as to whethereach contractor, as well as the principal organisation, should disclose itsname and function to an individual who is providing personal information. Allthree submissions recommend that the distinction should be recognised toallow business to achieve its objectives efficiently.

Relationship of principal and agent

Some submissions approach the issue from an agency law perspective.These include the Australian Finance Conference (63) and Optus (98). TheAustralian Finance Conference, for example, takes the view that the law ofagency makes unjustifiable the conclusion that when an organisationdiscloses information to a third party contractor it is ‘disclosing’ to a separate‘organisation’. In its view the reference in the Office’s Information Sheet 8 -Contractors to a ‘particularly close relationship’ encompasses theprincipal/agent relationship. In any case, its members have established theircompliance programs on this basis and would oppose moves to change thisaccepted understanding. On that basis, it recommends that there be nochange to Information Sheet 8.

Promina (34) takes a narrow view of Information Sheet 8 – Contractors. Itdescribes the circumstance where an insurer paying claims may decide tooutsource its cheque printing process to a third party. Strict contractualprovisions prohibit the contractor from using the personal information for anyother purpose than to produce the cheques. In Promina’s view, InformationSheet 8 – Contractors should be amended to support the position that thereneed be no further privacy disclosure in such a case.

Options for reform

Amend NPP 4

NPP 4 requires an organisation to take reasonable steps to protect personalinformation it holds. It does not deal specifically with what should happenwhen information is given to a contractor. IPP 4 does. It requires theorganisation to ensure ‘everything reasonably within the power of the record-keeperis done to prevent unauthorised use or disclosure’. NPP 4 could beamended to strengthen it in line with IPP 4. This puts the obligation on thecontractor. It addresses the problems that arise when a contractorsubcontracts to a small business that is not covered by the Act.

One way an organisation can ensure that a contractor protects the personalinformation the organisation has given it for the purposes of performing anoperation on behalf of the organisation is to impose the obligations bycontract. The Office could amend its Guidelines to this effect.

Amend Information Sheet 8

There seems to be some confusion as to what exactly Information Sheet 8 –Contractors means. The Office should amend it to clarify issues relating toprivate sector contracting.

Distinguish data controller and data processor

The private sector provisions could be amended to distinguish between datacontrollers and data processors and to amend the NPPs accordingly. Thiswould overcome the particular issue but would have an impact on theoperation of the Privacy Act.

6.10 Recommendations: Private sectorcontracting

54. The Australian Government should consider amending NPP 4 toimpose an obligation on an organisation to ensure personal informationit discloses to a contractor is protected.

55. The Australian Government should consider, in the context of the widerreview of the Privacy Act, (see recommendation 1) whether thereshould be a distinction between data controllers and data operators.

56. The Office will amend the Guidelines to the National Privacy Principlesto clarify that businesses that give personal information to contractorsfor the purpose of performing a function on their behalf should imposecontractual obligations on the contractor to take reasonable steps toprotect the information.

6.11 Due diligence on sale or purchase ofbusiness

What is due diligence?

‘Due diligence' is the term used to describe the process that a prospectivepurchaser of a business undertakes to assess the value of a business’ assetsand liabilities. The due diligence process may involve the disclosure andcollection of a number of different types of personal information including:

employee information

customer information

information about trading partners and business associates and;

marketing files.

Information Sheet 16

As a result of inquires from organisations buying and selling businesses andengaging in due diligence processes, the Office published Information Sheet16 Application of key NPPs to due diligence and completion when buying andselling a business. Information Sheet 16 advises buyers and sellers aboutcomplying with their obligations under the Privacy Act.

must consider the requirements of NPP 4 (data security) when personalinformation is disclosed and conduct the sale in a way that reasonablyprotects the privacy of the individuals whose personal information hasbeen disclosed.

A prospective purchaser organisation:

must consider its obligations in relation to the collection of personal andsensitive information (NPP 1 and NPP 10) and

must be aware that there may be limitations on how it can use anddisclose that information (NPP 2) and that it may need to comply withreasonable restrictions imposed by the vendor organisation.

Issues

The issues paper suggested that it may be difficult to determine how theNPPs apply to the disclosure of personal information during the course of duediligence.

‘Depending upon the nature of the business being sold, due diligencemay involve disclosure of personal information about key employees oreven sensitive information, for example, health information, aboutemployees or clients’.

What submissions say

Few submissions address the issue of due diligence in the buying and sellingof a business. There have been no complaints to the Office about a breach ofprivacy during a due diligence process. Two submissions address the contentof Information Sheet 16. The Insurance Council of Australia (ICA) (59) notesthat the relationship between the vendor and the purchaser in the InformationSheet is somewhat artificial and that, in reality, business practice requiresextensive amounts of information, including personal information, to bedivulged between the parties.

the requirements for the transfer of personal information which arerequired or authorised by law during a sale and purchase of a businessand

the disclosure of large amounts of personal information is vital for apurchaser to make a decision on price and financial viability.

A confidential submission suggests that Information Sheet 16 should considerthe issues one would consider when transferring (as opposed to buying) aportfolio of business, such as when a portfolio of insurance business istransferred from one insurer to another.

Options for reform

Amend NPPs to take account of due diligence

Businesses are bought and sold. Businesses that hold sensitive personalinformation are bought and sold. Due diligence occurs. It may be technicallya breach of the NPPs. The key NPPs are NPPs 1, 2 and 10. The buying andselling of medical practices or insurance companies, for instance, whichrequires the transfer of sensitive health information would require consentunder NPP 10, unless one of the other exceptions in NPP 10.1 applied, forexample, the transfer is required by law. It is not practical, and may not bepossible, to require an organisation in the process of due diligence to gain theconsent of everyone whose personal information is transferred. The relevantNPPs could be amended to take onto account the practical realities of duediligence.

Amend Information Sheet 16

Some submissions have made suggestions as to how Information Sheet 16might be clarified. The issue is complex and the information published by theOffice should be as clear and as comprehensive as possible.

6.12 Recommendation: Due diligence

57. The Australian Government should consider amending the NPPs totake into account the practice of due diligence.

7 Balancing individual rights and othersocial interests

7.1 Media exemption

Introduction

One of the competing social interests identified in the private sector provisionsis the free flow of information. One of the ways the legislation promotes thefree flow of information is to exempt the acts and practices of mediaorganisations in the course of journalism from the application of theprovisions[170]. This exemption applies where such a media organisation ispublicly committed to observing published standards that deal with privacy inthe context of the activities of a media organisation.

Law and policy

Privacy Act

‘Media organisation’ is defined under section 6(1) of the Privacy Act. Theterm refers generally to organisations whose activities consist of or include thecollection, preparation for dissemination or dissemination of news, currentaffairs, information or documentaries.

The media exemption is outlined in section 7(B)(4) of the Privacy Act:

(4) An act done, or practice engaged in, by a media organisation isexempt for the purposes of paragraph 7(1)(ee) if the act is done, or the practiceis engaged in:

(a) by the organisation in the course of journalism; and

(b) at a time when the organisation is publicly committed to observestandards that:

(i) deal with privacy in the context of the activities of a mediaorganisation (whether or not the standards also deal with othermatters); and

(ii) have been published in writing by the organisation or a personor body representing a class of media organisations.

Although, it is not strictly part of the media exemption, it is worth noting thatjournalists are also exempt from revealing their confidential sources. Section66(1A) states:

For the purposes of subsection (1B), a journalist has a reasonable excuse ifgiving the information, answering the question or producing the document orrecord would tend to reveal the identity of a person who gave information or adocument or record to the journalist in confidence.

Broadcast Media

Under the Broadcasting Services Act 1992), the industry group representinglicensees in each section of the broadcasting industry is responsible fordeveloping a code of practice applicable to that section. Privacy provisionsare included in these codes of practice[171]. The Australian BroadcastingAuthority (ABA) (19) submits:

‘while the privacy provisions vary somewhat across the variousbroadcasting codes, all reflect the core principle which underlays mediaregulation in Australia and internationally, i.e. that use of private materialin broadcasts has to be warranted in the public interest’.

The industry codes are developed in consultation with the AustralianBroadcasting Authority (ABA) and, once approved, are included on the ABA’sRegister of Codes. The ABA includes on this Register codes that areendorsed by a majority of industry, provide adequate community safeguardsand provide adequate opportunity for public comment.

The ABA has created a draft set of guidelines dealing with privacy issues. Anumber of other privacy related laws which broadcast media organisationsmust adhere to is provided in Attachment A Appendix 1 to the AustralianBroadcasting Authority submission (19).

Enforcement

The ABA may impose a licence condition requiring a broadcaster to complywith a code of practice[172]. Failure to comply with a licence condition is anoffence under section 139 of the Broadcasting Services Act 1992. In additionto this, the ABA can impose program standards that apply to all broadcastersin a sector where the code of practice has failed to provide appropriatecommunity safeguards[173].

Print media

Print media in Australia is regulated by the Australian Press Council. TheAustralian Press Council is a self-regulatory body that deals with print media,including all commercially available newspapers and magazines and theinternet sites of its publisher members within Australia. It was established in1976 with two main aims:

to preserve the traditional freedom of speech, and of the press, withinAustralia by keeping a watch on developments which could threaten suchfreedoms and

to ensure that the free press acts responsibly and ethically, by providing aforum to which anyone may take a complaint concerning the press.

The Australian Press Council consists of 21 members, representing thepublishers, journalists and members of the public, and is chaired by anindependent Chairman.

Principle number three of the Australian Press Council principles deals withprivacy. It states:

‘Readers of publications are entitled to have news and commentpresented to them honestly and fairly, and with respect for the privacyand sensibilities of individuals. However, the right to privacy should notprevent publication of matters of public record or obvious or significantpublic interest’[174].

Enforcement

The Secretariat of the Australian Press Council takes a mediative approach todealing with complaints with a focus on non-legalistic, accessible and informalprocesses. If asked to adjudicate, the Australian Press Council holds ahearing of its Complaints Committee, which always has a majority of PublicMembers, and which makes a recommendation to the Council. TheAustralian Press Council has no punitive power beyond that of announcing itsfindings. Its authority stems from the willingness of publications to admitmistakes publicly by printing all adjudications arising from complaints againstthem. The Australian Press Council’s website states:

‘The industry takes the Council seriously. The proprietors voluntarilyfinance the Council’s operations and co-operate with it in mediatingand processing complaints. An overwhelming majority of adjudicationsis published prominently’[175].

Issues

The issues paper noted that the wording of the media exemption is broad andundefined, is unspecific in relation to the level of standards to which a mediaorganisation must commit itself, and has no requirement that there be ameans of enforcing such standards. Another concern raised was that theterms ‘in the course of journalism’ and ‘media organisation’ are yet to be thesubject of judicial consideration. The issues paper noted, however, that theOffice has received few enquiries or complaints involving media organisationsor journalistic activities and suggested that the current exemption maytherefore strike an appropriate balance between privacy and the desirablefree flow of information.

In particular, the issues paper asked:

whether the operation of the media exemption is striking the appropriatebalance between the free flow of information and individual privacy

whether the current formulation of the media exemption covers the rightorganisations and the right activities and

measures to address any issues that are arising in relation to the mediaexemption.

What submissions say – issues

A small number of submissions comment on the media exemption. Of theseabout half report that they either support the exemption or are comfortablewith it[176]. The majority of submissions that raise concerns about the mediaexemption are from health organisations.

Inappropriate reporting of health information

The Australian Medical Association (AMA) (29) argues that the media has asignificant capacity to violate privacy and cause harm to patients and shouldbe regulated in a stronger way. It cites a real example of a privacy violationcaused by a media organisation reporting on the admission of a person tohospital for psychiatric care:

‘The media invasion of a particular (psychiatric) facility in Sydneyseverely disrupted the delivery of clinical care and resulted in otherpatients avoiding admission because they were concerned about therisk of being photographed by reporters covering the story’.

The AMA argues that an appropriate balance is not met by the currentexemption. The AMA argues that at present, public curiosity is affordedgreater protection than an individual’s right to privacy.

The Mental Health Privacy Coalition (58) echoes the concerns raised by theAMA and requests that media be able to report only limited information aboutan individual’s healthcare. The Mental Health Privacy Coalition argues that ifan individual’s information is of importance to the public interest, the mediashould apply for permission from the Privacy Commissioner to report on suchmatters.

St John’s Ambulance Service Australia (97), while acknowledging the balancebetween informing the public and respecting privacy is difficult to achieve,expresses its concerns with the media’s access to, and reporting of,information from coronial hearings. It states that occasionally inaccuratereporting causes unnecessary distress to people involved in coronial hearingsas well as raising ‘undue alarm amongst the public’.

Inadequate enforcement

The ABA (19) submission states that it lacks appropriate sanctions (what itcalls middle range sanctions) that would allow it to actively enforce the privacyprovisions in broadcasting codes of practice. When a breach occurs, the ABAis limited to informing the media organisation and extracting commitmentsfrom broadcasters about code training and disseminating the ABA’s breachfindings amongst staff. The ABA (19) also states it has found a pattern ofrepeat offending privacy related breaches in commercial television (though nopattern existed in radio).

The Australian Privacy Foundation (90) criticises the Australian Press Counciland Broadcast Media codes. The Australian Privacy Foundation (90) arguesthat the codes only pay ‘lip service’ to privacy and are ‘widely regarded asineffectual’.

FreeTV Australia (46) argues that the industry codes of practice arespecifically designed to balance the media’s role of informing the public aboutmatters of public interest and protecting individual privacy. FreeTV Australia(46) actively argues in favour of maintaining the media exemption. It states:

‘the Australian media are subject to a wide range of Federal and Statelaws which provide protection against inappropriate or unfair means ofgathering or disclosing personal information and images. Theseinclude the laws of trespass, nuisance, breach of confidence,defamation, malicious falsehood, contempt, the use of listening devicesand the myriad of laws restricting reporting of specific matters such asnational security, adoption, juries, and particular court proceedings’.

Exemption is too broad

The Australian Privacy Foundation (APF) (90) argues that the mediaexemption is too broad and could effectively be claimed in relation to anyinformation that is ‘published’. While the activity must be ‘in the course ofjournalism’ to qualify for the exemption, the fact that ‘journalism’ is not definedadds to this criticism. It goes on to argue that the exemption should benarrowed to focus on the public interest role of news and current affairs andthat the media exemption should only apply when:

(a) the privacy standard is a ‘a bona fide attempt to protect privacyfrom media intrusions (assessed as such by an independent arbiter)

(b) is enforced in some effective way and

(c) is generally observed by the media organisation’.

Criticism is also levelled at the requirement in the exemption for a mediaorganisation to commit to a published media code of practice. The APF (90)expresses dissatisfaction with this provision arguing:

‘As there are no criteria for these standards, or provision for review ofthem, the condition is effectively worthless…Current industry selfregulation – including the Press Council and broadcast media codes ofpractice, only pay lip service to privacy and are widely regarded asineffectual’.

The APF (90) disputes the fact that the low level of complaints and enquiriesreceived by the Office indicates a general satisfaction with the mediaexemption, suggesting instead that the low level of complaints and enquiriesis better explained by:

‘a widespread and correct view that media are effectively above the lawin relation to privacy – unless individuals have the resources to pursuedefamation or other common law actions’.

Other issues

The exemption applies if a media organisation is publicly committed toobserve standards that deal with privacy (section 7B(4)(b)(i)). In interpretingthis provision, it is uncertain whether the Privacy Act enables theCommissioner to determine whether a code provides adequate protection ornot.

Options for reform

Remove exemption

Although there are concerns that the media can be intrusive, there is ageneral recognition that sometimes these intrusions may be justified in thepublic interest. All submissions recognise that the media has an importantrole to play in informing the public. The Office also notes that it receives veryfew enquiries and complaints about media organisations. There is a strongpublic interest in having a free flow of information. Given there is no strongevidence that there are major concerns about the way the exemption isoperating, removing the exemption would appear to be unnecessary.

Clarify whether the Privacy Commissioner can decidewhether or not a standard deals adequately with privacy

The media exemption applies when a media organisation ‘is publiclycommitted to observe standards that deal with privacy in the context of theactivities of a media organisation’[177]. It is not clear if this section enables theCommissioner to decide whether or not the standard deals with privacy in anadequate way in the course of establishing whether or not a mediaorganisation is publicly committed to a standard.

This provision could be amended to establish criteria by which the PrivacyCommissioner could measure whether the standards adequately ‘deal with’privacy.

Define the meaning of ‘in the course of journalism’, andclarify the meaning of ‘media organisation’

The media exemption applies ‘if the act is done, or the practice is engaged inby the organisation in the course of journalism’[178]. The Privacy Act does notdefine the meaning of the term ‘in the course of journalism’. In order toensure the exemption focuses on news and current affairs, as is in the publicinterest, the term ‘in the course of journalism’ could be defined and thebroadly defined term ‘media organisation’ could be clarified.

Greater guidance

The Office could work with the ABA and media bodies to provide moredefinitive guidance to media organisations on appropriate levels of privacyprotection in privacy standards for media organisations, and how to implementsuch standards. Greater guidance could be given to ensure that the mediasector is aware that the media exemption is not a blanket exemption. Rather,the exemption applies only if the media organisation is publicly committed toobserving a privacy code that is published in writing by the organisation.

Currently, it is not clear that the privacy standards developed for the mediaare adequate or whether the standards are being implemented. Concernshave also been raised in relation to how health information and especiallymental health information is reported. There is particular concern thatpatients will avoid seeking mental health treatment for fear of the mediaattention they may attract. It is far less likely that the public interest in havinga free flow of information will outweigh a person’s right to privacy when itcomes to the reporting of health information.

The Privacy Act (and/or the Broadcasting Services Act) could be amended torequire the ABA and media bodies to consult with the Privacy Commissionerwhen developing a code or guidelines dealing with privacy. Requiring mediaregulators such as the ABA, and media bodies, to work with the Office whendeveloping codes would ensure that media organisations are committed tostandards that adequately deal with privacy. Such codes could provideguidance on how media organisations report on matters such as healthinformation.

7.2 Recommendations: Media exemption

58. The Australian Government should consider amending the Privacy Actso that:

the Australian Broadcasting Authority (ABA) and media bodies mustconsult with the Privacy Commissioner when developing codes thatdeal with privacy and

the term ‘in the course of journalism’ is defined and the term ‘mediaorganisation’ is clarified.

59. The Office will, in conjunction with the ABA, provide greater guidanceto media organisations as to appropriate levels of privacy protection,especially in relation to health issues, and make organisations awarethat the media exemption is not a blanket exemption.

7.3 Medical research

Law and Policy

There is a social interest in enabling medical researchers to have access tohealth information in certain circumstances. The Privacy Act is not intendedto restrict important medical research. While health information, beingsensitive information, is generally afforded extra protection under NPPs 2 and10, the NPPs recognise the desirability of medical research by enabling healthinformation to be collected, used and disclosed in certain circumstanceswithout consent. Where health information is being collected, used anddisclosed for the purpose of research, provided certain criteria are met, theNPPs enable such research to proceed.

NPPs

The relevant NPPs in this context are NPP 2.1(d), NPP 10.3 and NPP 10.4.In limited circumstances, NPP 2.1(d) allows uses or disclosures of healthinformation for research purposes, or for the compilation or analysis ofstatistics, without consent, where these activities are relevant to public healthor public safety. That is, the research must be about, or the statistics relatedto, public health or safety. Health information may be used or disclosedwithout consent for these purposes, only if:

the activities cannot be undertaken with de-identified information and theyare relevant to public health and safety

seeking consent is impracticable

the activities are carried out in accordance with guidelines that aredeveloped by the National Health and Medical Research Council (or aprescribed authority) and are approved by the Privacy Commissioner, and

for disclosure - the health service provider reasonably believes that theorganisation to which they disclose will not further disclose the healthinformation or any personal information derived from it.

Under NPP 10.3, an organisation may collect health information about anindividual if the collection is necessary for:

research relevant to public health and safety or

the compilation or analysis of statistics relevant to public health or safety

the management, funding or monitoring of a health service and

where collection of information that does not identify the individual cannotbe obtained.

In such instances, the information must be collected:

as required by law or

in accordance with rules established by competent health or medicalbodies that deal with obligations of professional confidentiality which bindthe organisation or

in accordance with guidelines approved by the Commissioner undersection 95A.

If an organisation collects information under NPP 10.3, then it must takereasonable steps to permanently de-identify the information before it disclosesit (NPP 10.4).

The Office has an information sheet on handling health information forresearch and management[179].

Section 95A guidelines

Guidelines approved by the Privacy Commissioner under s 95A of the PrivacyAct 1988 have been developed by the National Health and Medical ResearchCouncil (NHMRC)[180]. In approving the guidelines the Commissioner mustapply a public interest test[181].

The guidelines provide a framework to ensure privacy protection of healthinformation that is collected (under NPP 10.3), or used or disclosed (underNPP 2.1(d)) in the conduct of research and the compilation or analysis ofstatistics, relevant to public health or public safety, and in the conduct ofhealth service management activities. Under the guidelines, HumanResearch Ethics Committees (HRECs) are required to approve research orstatistical activities that involve the collection, use or disclosure of identifyinghealth information, and health service management activities that involve thecollection of identifying health information.

In line with NPP 10.3, the guidelines only require HREC approval where theactivity is to be conducted without consent from the individual concerned. AHREC may only approve such research where it determines that the publicinterest in the proposed research, statistical or health service managementactivity substantially outweighs the public interest in the protection of privacy.

The NHMRC has also developed a National Statement on Ethical Conduct inResearch Involving Humans (1999) which it is currently reviewing.

What submissions say - issues

Complexity of privacy regime

Submissions, including the Australian Department of Health and Ageing (99),the National Health and Medical Research Council (NHMRC) (32), theAustralian Academy of Science (119) and University of Adelaide (28) point tothe complexity of the privacy regime in Australia including both within thePrivacy Act and between Commonwealth and state legislation and the impactthis is having on health and medical research. They say, for example, that theco-existence of the NHMRC’s section 95 (public sector) and section 95A(private sector) guidelines and the interaction between the IPPs and the NPPshas created some confusion for researchers and consumers. Also they saythat that interpretation and implementation of Commonwealth and stateprivacy legislation is compromising individually and publicly beneficialresearch and health care. Problems include that private sector organisationsare making incorrect decisions and adopting a highly conservative approachto privacy compliance[182]. The NHMRC (32) says:

‘There is evidence that legitimate and ethical activities (which in somecases are vital to the quality provision of health care or the conduct ofimportant health and medical research) are being delayed orproscribed because some key decision-making bodies are unable todetermine, with sufficient confidence, whether specific collections, usesand/or disclosures of information accord with legislative requirements.The adoption of a highly conservative approach is resulting inexcessive administrative effort and a reluctance to approve thelegitimate use and disclosure of health information for the purposes ofhealth care, as well as health and medical research.’

The Australian Nursing Federation (127) says that collection of data for healthdata registries, including the national asbestosis registry, is being impeded byindividual organisations’ interpretation of the Privacy Act.

On the issue of the interaction between section 95 and section 95Aguidelines, the NHMRC (32) says:

‘In particular, the differing requirements of Sections 95 and 95A areinconsistent and confusing. Their application to similar projects indifferent settings can result in different outcomes, without any apparentpolicy rationale’.

Inconsistencies between the two sets of guidelines include that while section95 guidelines apply to proposals by an agency to collect use and disclose for‘medical research’, the section 95A guidelines which apply to private sectororganisations, refer to:

proposals by and organisation for the collection, use and disclosure ofhealth information for the purposes of research or the compilation oranalysis of statistics, relevant to public health or public safety and

proposals for collection by an organisation of health information for thepurposes of management, funding or monitoring of a health service.

The NHMRC (32) says that there is no obvious rationale for these differencesto exclude non-medical research by agencies from consideration undersection 95 guidelines and medical research that is not relevant to publichealth or public safety from consideration under the section 95A guidelines.

The Department of Health WA (101) raises another inconsistency in relationto quality assurance and audit activities. It says that NPP 10.3(a) (iii) providesfor collection, but not disclosure for management, funding or monitoringactivities and that it should allow for disclosure for this purpose as well.

University of Adelaide (28) comments on the need to involve up to 10national, state and other ethics research committees in national researchproposals.

When consent needed

The NHMRC (32) points to the inconsistency between the NHMRC NationalStatement on Ethical Conduct of Research Involving Humans and the PrivacyAct (the Statement), particularly in relation to when it might be appropriate todispense with consent. The NPPs appear to be narrower in that they confinethe circumstances in which consent can be dispensed with to when it is‘impractical’ to obtain it. The Statement permits epidemiological research inbroader circumstances, including where getting consent would cause‘unnecessary anxiety’ or where the scientific value of the research would beprejudiced.

A number of other submissions also say that the circumstances whereconsent can be dispensed with are too narrow.[183]

Gaps and problems within NPPs

Slow up research

A number of submissions, for example, University of Adelaide (28) and theAustralian Psychological Society (103) say that the private sector provisionshave made the process of undertaking research more difficult. They say thatthey slow down the approval process and have an impact on gaining accessto, and collecting, data.

General research

The AMA (29) and the South Australian Department of Health (95) point to theneed to broaden the kind of research the NPPs cover. For example, theSouth Australian Department of Health says the NPPs do not cover non-healthinformation. As a consequence, the Australian Compliance Institute(16) says that research that can have considerable public benefit has beenhampered by the Privacy Act. It says that, on the basis that it may bepossible to re-identify consumption data, organisations cannot provide thisinformation (to universities, or government agencies, for example) without anindividual’s consent.

Data linkage and registries

The South Australian Department of Health (95) and the Department of HealthWestern Australia (101) say that the NPPs do not seem to provide for datalinkage and there is a need revamp NPP 10 to provide for this. Issues theyraise include that the NPPs do not explicitly allow for flow of information forthe development of Australia’s National Minimum Data Sets. The Departmentof Health Western Australia (101) says that while the information for these isnominally de-identified it does include date of birth, sex and postcode.

The NHMRC (32) is concerned that the Privacy Act directly impairs theestablishment of registries. It says that use or disclosure of health informationfor this purpose is unlikely to be a directly related secondary purpose withinthe reasonable expectations of individuals under NPP 2 and so would appearto require approval by a HREC. However the NHMRC (32) considers thatsuch activities may be regarded as preliminary to research, rather than actualresearch, for the purposes of the NPP 2 exceptions to the need to getconsent.

On the question of data linkage, the NHMRC (32) reports that someresearchers have advised it that some HRECs appear to have discountedcompletely the potential to conduct research projects involving data linkage ofhealth information without consent, and have rejected such applications out ofhand, apparently in the ‘mistaken belief that such linkage is not ethically orlegally acceptable’. It cites research it carried out which indicates that therewas considerable support among the general public (66%) and healthconsumers (64%) for approved researchers to match information fromdifferent databases.

Likewise, it reports that there was an even higher level of support forapproved researchers to access health information from databases whererecords are identified by a unique number rather than a name (general public82%; health consumers 86%). It says its research also showed that nearly allhealth providers, data custodians, HREC members and peak bodyrepresentatives who participated in their stakeholder surveys acknowledgedthe importance of data linkage in improving effectiveness of treatment andconsequently of public health.

On the other hand, in some stakeholder forums, it was said that many peopledo not know that their health information is, or might be used for researchwithout their consent, or understand the value of such research.

Complexity of reporting obligations

Submissions say, for example, the University of Western Australia HumanResearch Ethics Committee (1) and NHMRC (32), that the reportingobligations under the section 95A Guidelines are onerous and detailed. Inparticular they are concerned that the requirement to list the NPPs and thesub-sections referred to in reaching decisions is difficult to complete.

HREC decision making

An epidemiologist from the University of Adelaide (28) is concerned that whatis in the public interest is being resolved by ethics committees who do notnecessarily determine this issue on the basis of ethics considerations. TheAustralasian Epidemiology Association (30) is concerned about decisionmaking on what is in the public interest being subject to opinions of individualson HRECS. For example, it says that legal liability may override ethical orpublic interest matters in an ethics committee’s decision about whether on notto approve a research proposal that involves collection, use or disclosure ofpersonal medical information without consent.

University of Adelaide (28) considers that the current approach to communityrepresentation on HRECS may not be appropriate. Other submissions, forexample, the South Australian Department of Health (95), says there areinconsistencies in the way HRECS are weighing up the benefit of a researchproposal versus the threat to individual privacy.

De-identification and medical research

The Australian Consumers Association (15) says that the whole issue of de-identifieddata needs to be re-examined. The Australian Institute of Healthand Welfare (100) also points to problems with determining what isde-identified data, and, says there is a need for more guidance. TheAustralian Consumers Association (15) is concerned that:

‘as soon as something is deemed to be de-identified it no longer fallsunder the Privacy Act or the NPPs, but there is a vaguenesssurrounding the term. . . Indeed it seems that once a record is definedas ‘de-identified’ it is open slather, there is no need for consumerconsent of ethics committee approval even though we have no goodworking definition of what de-identification means’.

The NHMRC (32) also says that stakeholders are experiencing difficulty indetermining whether a person’s identity is ‘apparent or can be reasonablyascertained’. The Australian Nursing Federation (127) agrees that greaterclarity is needed around the de-identification of electronic data and the pointat which it is de-identified as well as the definition of de-identification itself.

There are mixed views among submissions about what people think aboutuse of de-identified health information by third parties. The AustralianConsumers’ Association (15) says that when people go to the doctor, they aregiving information on the basis that it will be used only in their clinical care.They do not expect that third parties will be trawling through their healthrecords; even if it is in de-identified form. It says that in this sense third partyaccess to data without the consumers’ knowledge is something of a breach oftrust.

On the other hand, the Australian Department of Health and Ageing (99) saysthat consumers have very definite opinions about health information. On thebasis of research it has carried out it says that consumers express strongreservations about identified personal information being made available forpurposes other than their own clinical care on the one hand, but are generallyvery accepting of the notion of sharing de-identified personal healthinformation amongst health planners and researchers[184].

What submissions say – addressing the issues

Consistency within the Privacy Act

The NHMRC (32) suggests combining the IPPs and NPPs into a single set ofNational Privacy Principles that apply to all relevant public sector and privatesector agencies. It also recommends having a single set of researchguidelines that apply to the collection, use and disclosure of health informationwithout consent to apply to all health and medical research to which thePrivacy Act applies. It says consistency could also be achieved by makingthe definition of ‘research’ consistent across all provisions of the Privacy Actand encompassing all health and medical research. The Australian Academyof Science (119) supports these kinds of measures.

National consistency

A number of submissions say that a single, simplified, national health privacyregulatory regime to replace, rather than supplement, the existing regulationshould be pursued[185]. University of Adelaide (28) and the AustralianEpidemiological Association (30) suggest that the states could refer matters tothe Commonwealth.

Broadening research provisions to non-medical research

The Australian Compliance Institute (16) says that the Privacy Commissionershould agree to the need to expand the research category to meetgovernment, environmental and community benefits. The Commissionershould have powers to exempt Privacy Act provisions and principles based onset criteria for research projects where there is government, community orenvironmental benefits.

Broadening circumstances in which consent not needed

The AMA (29) suggests that all medical research should be regarded asrelevant to ‘public health and public safety’. Further, it suggests that thereshould be a broader construction of what is ‘public health and public safety’.

Submissions also suggest a number of ways that the provisions providing forwhen consent is not needed could be broadened. The AMA (29) says that theexemption from the need to get consent for collection or disclosure of healthinformation for research purposes should be extended from when it is‘impracticable’ to include when it is so inconvenient or unprofitable that theresearch would be hindered.

The NHMRC (32) says that the NPPs should be brought into line with itsStandards to include to allow consent to be dispensed with where it wouldcause ‘unnecessary anxiety’ or where the scientific value of the researchwould be prejudiced. However, in line with contemporary legal approaches tothe concept of therapeutic privilege, it says the concept should be furtherdefined to only encompass circumstances in which the procedures necessaryto gain consent ‘are likely to seriously and adversely affect the well being(which includes the psychological health) of the person from whom consentwould be sought’.

University of Adelaide (28) suggests that consent might be dispensed with incases where inclusion in the research causes no physical or psychologicalharm to the individual. The Australian Epidemiological Association (30) saysthat most people think that consent should not be needed for access to‘medical records for non-commercial medical research that has no effect onthe individuals being studied and has been approved by an accreditedresearch ethics committee’.

The Australian Compliance Institute (16) suggests that as for health andmedical research, there should be special provisions to allow organisations todisclose personal information for research that will benefit government,environment and the community. Further, it says that the PrivacyCommissioner should develop criteria for exempting, and have the power toexempt, such research from the Privacy Act.

Further work to clarify when consent is needed

Australian Consumers’ Association (15) recommends that the Office dofurther work on the sort of data-usage that requires consumer consent orethics committee approval in the public and private spheres. It also says thatthe Office should do further work on the challenges involved in protectingconsumer privacy in the face of numerous databases that could be used to re-identifyrecords.

Ensure NPPs allow data linkage

A number of submissions suggest that the NPPs need to be either clarified orrevamped to ensure that the great public benefit that can achieved from datalinkage and data registries can be achieved. The Department of HealthWestern Australia (101) says that NPP 10.4 needs to be revamped as it doesnot permit the approach to data linkage in Western Australia, which allows adata custodian to retain data in identifiable form to enable the custodian tocheck the data. The Telethon Institute for Child Health Research (55) saysthat it is important that the privacy legislation understands the public goodwhich results from the epidemiological analysis of existing data collected onthe population which has been linked together.

Clarify meaning of de-identification

The NHMRC (32) recommends that the Office clarifies the meaning of ‘de-identified’,to make it clearer what information is and is not subject to thePrivacy Act and ethics approval processes. The Australian Consumers’Association (15) says that the Office should provide guidelines that set out aclear working definition of ‘de-identified’ data.

Simplify HREC approval process

A number of submissions agree that the procedure for gaining ethics approvalto undertake linkage or record assessment research should be straightforwardand streamlined[186].

HREC reporting requirements

Submissions, including a Human Research Ethics Committee (1), theNHMRC (32) and the Australian Academy of Science (119) support measuresto streamline the reporting requirements of Health Research EthicsCommittees.

Legal protection for HRECS

University of Adelaide (28) and the Australian Epidemiological Association(30) say the law should be changed to protect ethics committees when theymake reasonable decisions.

Raising awareness and acceptance

Submissions suggest a number of measures to increase public awarenessand acceptance of use of health information for research, and in particularepidemiological research. These include the careful publishing of researchfindings and public health outcomes in the popular media and holding forumsthat highlight the need for this kind of research[187]. In some of the stakeholderforums it was said that there should be public debate and raising ofcommunity awareness on the issue of use of health information withoutindividual consent.

The Health Consumers’ Council, Perth[188]says there needs to be greaterregard for consent when health information is used for research, or at aminimum there should be notice of what information is being collected andhow it is to be used and/or disclosed and whether the use, disclosure orcollection is required or authorised by or under law.

Options for reform

Consistency in approach to research between private sector andCommonwealth public sector

It has been recommended (see recommendation 1) that there be a widerreview of the Privacy Act. This wider review could include how to make theIPPs and the NPPs consistent. This would include considering the questionof what guidelines were needed. The same guidelines could apply to thesame kind of research, regardless of whether it involves private sector orpublic sector. However, the wider review would need to consider whetherseparate guidelines might be needed for non-medical research that does notinvolve health information. It could also include reaching a definition of‘research’ that applies across both sectors.

Broaden NPPs to include research on humans, not justmedical research

For non-health information this would involve amending NPP 2 whichcurrently only has provision to allow for disclosure of health information forspecified research purposes without consent. To ensure there is appropriateprotection, there would need to be a process that would include a HRECapproval process appropriate to non-medical research.

A possible reference is the Information Privacy Principles 10(f) and 11(h) ofthe Privacy Act 1993 (NZ), which allow personal information to be used ordisclosed if the agency believes on reasonable grounds that the information isto be used for statistical or research purposes and will not be published in aform that could reasonably be expected to identify the individual concerned.This principle currently applies un-modified to non-health information.However, New Zealand has a health information privacy code which regulatesthe handling of health information, including for research purposes[189].

It may not necessarily be appropriate to adopt the New Zealand approach toresearch involving non-health information without examining further whetherthe environment has changed sufficiently (for example, the increased ability tolink data) to require a more strict approach, such as requiring there to be aHREC approach for research involving non-health information.

Nationally consistency in approach to protecting privacy inresearch, including health and medical research

This report has made recommendations in Chapter 1 on how greater nationalconsistency could be pursued. Having a national health privacy code whichincludes provisions for research could be of help in this respect. There wouldhave to be consideration of how the IPPs fit into this scheme. However, thiswould not help to achieve consistency in the case of research that does notinvolve health information.

Clarify disclosure for the purpose of the management, funding ormonitoring of a health service without consent

This could be done by:

amending NPP 2.1(d) to include that organisations can discloseinformation for the purpose of the management, funding or monitoring of ahealth service without consent. (This would require them to go through asection 95A process.)

adding an additional exception to NPP 2.1 that allows organisations todisclose information for the purpose of the management, funding ormonitoring of a health service without consent. (This means they can do itwithout having to go through the section 95A process.)

conducting an education campaign with HRECS and other key bodies, and private sector organisations generally, to ensure that they know that theOffice’s guidelines say that disclosure for management, funding andmonitoring is related to the primary purpose of collection and withinpeople’s reasonable expectations and so does not require consent.

Inquiry into use of personal information for research

There could be an inquiry to determine with appropriate consultation andpublic debate:

the appropriate balance between facilitating research for public benefit andindividual privacy and right of consent

whether special protections are needed for research for commercialpurposes

the privacy protections necessary if the balance is shifted towards datalinking and more access without consent

what public education is needed to ensure the community is aware of theuses made of their personal information and the protections in place toprotect it when it is collected without consent

There is considerable evidence that key researchers, especiallyepidemiological researchers, consider that the current balance betweenprivacy and the public benefit of research is too heavily weighted in favour ofindividual privacy to the detriment of research. By gaining access topopulation data and data linkage, the research might considerably benefitdisadvantaged groups that are currently under researched.

There is evidence that taking an opt-in approach to participation in researchsignificantly reduces the participation rate and therefore the scientific integrityof research. In a study conducted by the University of Sydney[190], it was foundthat:

‘opt-in requirements significantly reduce the proportion of peopleultimately recruited into a trial compared with an opt-out approach thatwas once commonplace. It has also shown that by increasing thenumber of eligible people approached to opt-in, a demographicallysimilar study sample can be obtained. Furthermore, a study samplerecruited by opt-in is more likely to include active, preventative health-seekingparticipants and those with a personal motivation such as ahigher risk’.

The Office has received many submissions from researchers on this issue butfew comments or submissions from a consumer point of view. Consumerresearch on this issue is mixed. Research conducted by the Office showsthat individuals are concerned about their personal information being used,even in a de-identified form, for research purposes. Almost two thirds (64%)of respondents felt that an individual’s permission should be obtained beforede-identified information derived from personal information about them is usedfor research purposes. One third (33%) of respondents felt that permissionwas not necessary.

On the other hand, the Australian Department of Health and Ageing researchsuggests that although consumers express strong reservations aboutidentified personal information being made available for purposes other thantheir own clinical care on the one hand, they are generally very accepting ofthe notion of sharing de-identified personal health information amongst healthplanners and researchers.[191]

This is a complex issue that goes beyond the remit of this Office. Getting thisbalance right will be important and should be resolved if initiatives to connectelectronically health information are to succeed with community support.

Guidelines that clarify what is and is not de-identified personalinformation

As part of a wider inquiry into the Privacy Act, the issue of what is or is not de-identificationcould be considered. This is an important threshold issue whichdetermines whether or not information is protected. Developments intechnology have made it increasingly difficult to determine whetherinformation is de-identified or not. In the meantime, the Office could provideguidance on this, which would help HRECs and researchers in their decisionmaking.

Simplify reporting requirements for HRECS

This would involve the Office working with the NHMRC to reach a simplerformat for reporting which better reflect the way HRECs make decisions indeciding whether or not to approve a research project. It would help tostreamline the HREC process. However, there should still be an adequatelevel of accountability.

7.4 Recommendations: Research

60. As part of a broader inquiry into the Privacy Act (see recommendation1), the Australian Government should consider:

how to achieve greater consistency in regulating research activitiesunder the Privacy Act

whether regulatory reform is needed to address the issue ofde-identification in the context of research and the handling of healthinformation

where the balance lies between the public interest in comprehensiveresearch that provides overall benefits to the community, and the publicinterest in protecting individuals’ privacy (including individuals havingchoices about the use of their information for such research purposes)

whether there is a need to amend NPP 2 to permit the use anddisclosure of personal information for research that does not involvehealth information

undertaking further research and education work with the broadercommunity to ensure that the balance between research and privacyaccords with what the community expects and understands.

61. The Office will issue guidance in relation to NPP 2 to clarify thatorganisations can disclose health information for the management,funding and monitoring of a health service.

62. The Office will work with the National Health and Medical ResearchCouncil to simplify the reporting process for human research ethicscommittees under the section 95A guidelines.

7.5 Decision-making where capacity isimpaired

Introduction

Impaired capacity and substituted decision-making

In order for an individual to give valid consent to privacy or other matters theymust have the capacity to make an informed decision. Decision-makingcapacity can be impaired permanently or temporarily for a number of peoplefor a range of reasons. These include cognitive disabilities such as acquiredbrain injury, dementia or mental illness. A child may lack capacity for legal orother reasons.

Role of carers

For adults with a decision-making disability, the role of substituted decision-makermay be entrusted to a spouse, carer, family member or friend. Thiscan occur informally where the person with a decision-making disability isassisted by someone in their day-to-day affairs, or it can occur formally, forexample where there is an order made under state or territory guardianship oradministration legislation[192].

Generally, formal guardianship and administration orders are made as a lastresort only. Instead, there is a preference for informal arrangements ‘where afamily member, carer or friend serves as substituted or assisted decision-makerand often as primary advocate’[193]. The spouse, carer, family memberor friend conducts business, such as banking, dealing with utilities and welfareagencies, informally on the person’s behalf.

For children, generally the child’s parents have responsibility for decision-makingon their behalf.

Problems for substituted decision-makers

In 2003-2004, members of the Australian Guardianship and AdministrationCommittee (AGAC) wrote to the Office about privacy laws and difficultiescarers were experiencing in conducting business on behalf of persons withdecision-making disabilities. Submissions to the Review and comments madeat stakeholder forums reiterated this issue.

Relevant privacy principles

Section 6 of the Privacy Act and National Privacy Principles (NPP) 2, 6 and 10are relevant in this context.

Collection of sensitive information

‘Sensitive information’ is defined by section 6 of the Act and includes,amongst other things, an individual’s health information. Except in certaincircumstances, an organisation cannot collect an individual’s sensitiveinformation without their consent (NPP10.1).

One of those circumstances is where the collection of sensitive information isnecessary to prevent or lessen a serious and imminent threat to the life orhealth of any individual, and the information concerns a person with animpaired decision-making capacity. In such circumstances, their sensitiveinformation can be collected by an organisation without consent (NPP10.1(c)).

Disclosures of personal information

NPP 2 establishes the general rule that personal information must only beused or disclosed for the primary purpose for which it was collected. However,there are exceptions to this general rule.

These exceptions enable organisations to make judgements about disclosingan individual’s personal information to a third party in certain circumstances.The consent of the individual, whether express or implied, is not the onlyexception to this general rule.

For example, where a guardianship or administration tribunal has made anorder appointing someone to act on an individual’s behalf, the disclosure ofrelevant personal information about the individual by an organisation to theguardian or administrator would be ‘authorised by law’ in terms ofNPP 2.1(g)[194].

Disclosures of health information

Further exceptions to the general rule about disclosures are to be found inNPP 2.4, 2.5 and 2.6 regarding the ‘health information’ of persons with animpaired decision-making capacity. These provisions represent a schemethat facilitates, within certain limits, disclosures of health information to‘responsible persons’ (as defined in NPP 2.5 and 2.6).

Discretion to disclose

The provisions of NPP 2.4, 2.5 and 2.6 are structured to give health serviceproviders a discretion about disclosing the health information of an individualwith impaired capacity when, broadly speaking, it is in the individual’s interestto do so. That discretion can be exercised by the health service provider incertain circumstances explained below (NPP 2.4(b)).

Where it is necessary for the care and treatment of the individual, or forcompassionate reasons, a health service provider may disclose relevanthealth information about the individual to certain persons, providing that it isnot contrary to the reasonably ascertainable wishes of the individual (NPP2.4(c)). Such disclosure must be limited to what is necessary and reasonableto meets its purpose (NPP 2.4 (d)).

If a disclosure is permitted by NPP 2.4, the Privacy Act does not guide theorganisation in whether or not to provide information to carers, familymembers or other responsible persons. This is a matter for the organisation’sprofessional judgement in line with its own policies and other legal obligationsin the circumstances of each case.

Access to personal information

NPP 6 gives individuals a general right of access to personal informationabout them held by private sector organisations, subject to certain exceptions.If an individual with an impaired decision-making capacity has an appointedguardian or administrator, the latter may exercise the right of access underNPP 6 on the individual’s behalf. This is the case to the extent the guardianor administrator is appointed to stand for the individual under law. Accessrights exercised by a guardian or administrator on behalf of an individual aresubject to the same exceptions under NPP 6 as they are for any other person.

What submissions say - issues

Refusing services

Submissions express concern that government agencies, businesses (suchas banks and utilities) and other service providers may be causing hardship toindividuals, who are dependent on substituted decision-makers, by adoptingunduly cautious interpretations of privacy legislation. These concerns werealso raised in stakeholder forums. The AGAC submission (114) refers to thefollowing examples:

Utilities have refused to accept directions about the supply of services tothe home of an elderly woman with dementia from members of her family.The companies gave privacy laws as the reasons for their refusal.

In the absence of express authorisation by a policy holder with physicaland intellectual disabilities, an insurance company refused to discloseinformation about the client’s policy to the policy holder’s parents whocared for them and assisted in their insurance arrangements.

Both an Australian Government welfare agency and a bank refused todisclose financial information to the carer of a client with a mental illness.The information was denied ‘on the grounds of privacy’.

Implementing privacy laws

Submissions refer to businesses requiring the production of an expressauthorisation from individuals (with impaired decision-making capacity) so thattheir carers can transact business on their behalf. Other service providers askfor some formal evidence of authority to permit a carer to act on theindividual’s behalf, such as an order from a tribunal:

‘In all facets of daily life…, I am constantly challenged as not being theperson to conduct business on behalf of (my son)’ - the mother of aman with an intellectual disability (AGAC 114).

The issue of cost is also raised in a submission from a father of a dependentadult child:

‘Most of these people insist on a power of attorney addressed to themwhich now costs over $100.00 to organise’ (7).

Submissions also support the view that front-line staff of service providersmay be implementing a ‘low-risk’ or narrow approach to privacy laws. ThePrivate Health Insurance Ombudsman (10) notes difficulties that parents hadexperienced in obtaining information about disabled adult children in theircare. These difficulties, the submission also noted, were increasingly beingresolved by putting appropriate administrative arrangements in place.

Consistent privacy standards

Submissions suggest that consistency between the privacy principlesoperating in the federal public sector and the private sector would assist thework of carers for people with decision-making disabilities.‘Each sector should have the same privacy standard, set at the level ofthe NPPs’ (AGAC 114).

Do the NPPs work for those with decision-making disabilities?

A lack of decision-making capacity should not mean that individuals miss outon obtaining access to services; neither should their privacy rights beundermined because they cannot make their own decisions.Submissions support the view that the protection of an individual’s privacyrights under the NPPs is not incompatible with their reasonable enjoyment ofservices. The understanding, interpretation and the application of the NPPsby agencies, businesses and service providers are identified in submissionsas needing improvement.

Options for reform

There appears to be some significant concern that NPP 2 does not readilypermit the disclosure of certain personal information about an individual with adecision-making disability where this may be manifestly in their interests.

The Office is aware of concerns about the Privacy Act potentially limiting ordenying the ability of some private organisations (such as utilities or financialinstitutions) to disclose non-health information about a person to a carer,family member or friend where this might be necessary to manage theperson’s affairs. This information may be personal or financial details relatingto the provision of a utility or service (for example water, gas, electricity ortelephone), or another key element of their affairs (for example, financialaffairs).

It may be appropriate to amend NPP 2 to include a provision like NPP 2.4,which would permit the disclosure of non-health information to certain people(such as those listed in NPP 2.5) in limited circumstances. Care will beneeded to avoid creating too broad a permission to disclose and therebyputting at risk the financial and other interests of the person with a decision-makingdisability. Of course, an amendment to NPP 2 in this manner wouldalways leave the discretion to disclose with the organisation, which wouldneed to satisfy itself that the disclosure was warranted and necessary tosecure or safeguard the interests of the individual.

The Office would need to issue guidance on the application of such provisionsshould they be inserted into the Privacy Act.

Binding guidelines on NPP 2 and decision making disability

Rather than amend NPP 2 by adding a further general exception, the PrivacyAct could be amended to provide for a power to issue binding guidelinesabout the handling of personal information in certain circumstances. Thepower to make binding guidelines is discussed in section 5.6.

The binding guidelines could amend NPP 2 to allow for the use and/ordisclosure of personal information in circumstances relating to decisionmaking disability set out in the guidelines. To ensure adequate transparencyand scrutiny, such guidelines could be legislative instruments for the purposesof the Legislative Instruments Act 2003.

Public Interest Determination to vary NPP 2

Rather than amend NPP 2 by adding a further general exception, the PrivacyCommissioner could make a public interest determination (under Part VI ofthe Privacy Act) to permit disclosures of personal information relating to aperson with a decision-making disability in certain circumstances.

Given the ongoing nature of the information-handling under consideration, thenon-permanent natures of such determinations may not be the mostappropriate regulatory solution to this issue. To provide the assurance andstability in the law that these issues call for, it may be more appropriate toresolve the matter with a longer-term regulatory option.

No change

As submissions and input to the stakeholder forums did not call specifically forchanges to the Privacy Act, it may be argued that it is appropriate not toamend the legislation in this area. If this were the case, then the emphasiswould appear to rest on awareness and education.

Education and awareness

There was greater agreement among stakeholders that better understandingof how the NPPs work in this area is important. More practical guidance fromthe Office on the permissible information-handling acts and practices ofagencies and organisations may remove many of the difficulties experiencedby individuals with decision-making disabilities and their carers.

In its submission, AGAC (114) referred to the Best Practice Guide: Privacyand people with decision-making disabilities, published by the Office of theNSW Privacy Commissioner, as an example of a resource that might assist ineducating and raising awareness around these issues[195].

The Office could consult with the NSW Privacy Commissioner and carefullyconsider these guidelines with a view to adopting, with agreement, theguidance material that correlates with the NPPs. The Office could work withstakeholders to further develop this guidance to deal with other issues. Theresulting materials could be used nationally to minimise the difficultiescurrently experienced by people with decision-making disabilities, their carersand the organisations with which they deal. Such work would be subject tothe Office being provided with sufficient resources.

7.6 Recommendations: Decision-makingwhere capacity is impaired

63. The Australian Government should consider, in order to ensure that thePrivacy Act does not prevent individuals with a decision-makingdisability from receiving a range of utilities and other services,amending NPP 2 to permit the disclosure of non-health information to aclass of persons the same, or similar, to that described in NPP 2.5,where an organisation considers the disclosure to be necessary for themanagement of the person’s affairs in a way that their financial or otherinterests are secured or safeguarded. It would be appropriate toconsider developing such an amendment in consultation with theAustralian Guardianship and Administration Committee.

64. The Office will, in recognition that disclosures of health informationunder NPP 2 are appropriately permitted in law but may not occur inpractice, develop further and more practical guidance.

7.7 Law enforcement

Law and policy

Protecting the community and privacy

The community has an interest in its security and safety being protected bygovernment regulatory bodies and law enforcement agencies. In the courseof carrying out their activities and functions, enforcement bodies, governmentagencies and regulatory authorities collect personal information from a rangeof sources, including private sector organisations. The Privacy Act seeks tobalance the public interest in effective law enforcement with the protection ofindividuals’ privacy.

The Privacy Act permits organisations to lawfully co-operate with agenciesperforming law enforcement functions. The Act is not intended to hinderorganisations’ involvement and co-operation with law enforcement bodies.

The Act is not intended to interfere with other legal obligations (for example,common law duties) that organisations might have and which affect the useand disclosure of personal information.

Relevant privacy principles

Section 6 of the Act and NPPs 1, 2, 6 and 10 are relevant in this context.

Collection of sensitive information

‘Sensitive information’ is defined by section 6 of the Act and includes anindividual’s health information and criminal record. Except in certaincircumstances, an organisation cannot collect an individual’s healthinformation without their consent (NPP10.1).

One of those circumstances is where the collection is required by law underNPP 10.1(b). Health service providers, for example, are required by state andterritory public health legislation, to collect health information about individualswith certain notifiable diseases. Similarly, under child protection legislation,private sector educational institutions must check the criminal record historiesof their employees

Disclosure to law enforcement bodies

NPP 2 establishes the general rule that personal information must only beused or disclosed for the primary purpose for which it was collected. Thereare exceptions to this general rule, including permitting an organisation to useor disclose personal information for law enforcement and regulatory purposes.These exceptions are set out in NPP 2.1 (f), (g) and (h).

Generally described, these exceptions permit an organisation to use ordisclose personal information in situations such as where:

The organisation has reason to suspect that unlawful activity is occurring(or that it has occurred or may occur), and it must use or disclose thepersonal information in its own investigation of the matter, or to report thematter to a relevant person or authority (NPP 2.1(f)).

The use or disclosure is required or authorised by or under law(NPP 2.1(g)).

The organisation reasonably believes the personal information is neededfor use or disclosure by (or by another on behalf of) a law enforcementbody for such things as the prevention, detection, investigation and similaractivities relating to the criminal law and laws that impose a penalty orsanction; for the enforcement of laws relating to the confiscation of theproceeds of crime; to protect the public revenue; to prevent, investigateand take other steps in relation to seriously improper conduct; or in thepreparation for, or conduct of, court and tribunal proceedings (NPP 2.1(h)).

Section 6 of the Act defines ‘enforcement body’ to include such agencies asthe Australian Federal Police, state and territory police services, as well asregulatory bodies such as the Australian Securities and InvestmentsCommission.

Discretion to disclose

An organisation has discretion regarding whether or not to disclose personalinformation to a law enforcement body; that is, unless there is another law thatrequires the disclosure. If a disclosure is permitted by NPP 2, but not requiredby another law, the Privacy Act does not tell the organisation whether or not toprovide personal information to a law enforcement body. The organisationmust make its own judgement considering its own policies and any otherobligations in the circumstances of each case.

Access and law enforcement

NPP 6 gives individuals a general right of access to personal information thatan organisation holds about them. In certain circumstances an organisationcan withhold access; these circumstances are set out in the exceptions toNPP 6. They include exceptions to access for law enforcement or regulatorypurposes; for example, NPP 6.1(j) permits an organisation to deny access toan individual when this would prejudice activities being carried out by, or onbehalf of, an enforcement body.

Issues paper

The issues paper asked if the right balance has been struck between privacyand the public interest in effective law enforcement. It asked how the relevantNPPs are working in a law enforcement setting and whether steps are neededto redress any imbalances between these competing interests.

What submissions say - issues

Law enforcement bodies

Representatives of law enforcement officers said that some organisationshave declined to provide personal information that was reasonably necessaryfor their enquiries, giving privacy legislation as the reason for their refusal.The Police Association of Victoria (116) states:

‘Our members are being denied access to information by some areasof the Private Sector Community on the basis that the information isprotected under the Privacy Act’.

The Australian Federal Police (AFP) (129) notes the reluctance of someorganisations to provide personal information in some circumstances. Thiscan occur for a range of reasons including a lack of understanding on the partof the organisation about how the National Privacy Principles operate (that is,that they are permitted to disclose personal information for law enforcementpurposes), concerns about disclosures being detrimental to commercial orother business outcomes, the costs of complying with a request forinformation, or concerns about litigation by those to whom the informationrelates.

Greater awareness and education is recognised as going some way towardresolving organisations’ concerns in this area. However, other solutionsoutside the Privacy Act may be needed. For example, the AFP mentionspowers such as being able to issue a ‘notice to produce’, which could compel(or more clearly authorise) disclosure of certain information by anorganisation.

Private sector organisations

On the other hand, pharmacists indicate that in some circumstances ethicalobligations of confidentiality prevent them from disclosing personalinformation about their clients to law enforcement officers. The PharmacyGuild of Australia (93) says that, generally, law enforcement officers and thegeneral community are unaware of pharmacists’ obligations of confidentiality.The Guild (93) submits:

There is an underlying belief in the community that confidentialitybetween a pharmacist and patient is not as vital as it is for a doctor andpatient.

Consequences of lack of awareness

Submissions state that a lack of awareness about privacy legislation andobligations of confidentiality had undesirable consequences. The PoliceAssociation of Victoria (116) refers to a ‘risk of undermining the core functionsof our members through ‘misunderstandings’ about the Privacy Act.

The Pharmacy Guild of Australia (93) submits that refusing to provideinformation to police officers ‘can often be quite intimidating for a pharmacist’.These submissions were backed up by comments at stakeholderconsultations.

Australian Institute of Private Detectives

The Australian Institute of Private Detectives (38) suggests the definition of‘enforcement body’ should be extended to include private detectives. Thiswould permit private detectives to more readily collect personal informationabout individuals from organisations. This matter is further explored atsection 7.9.

Enquiries from the private sector

Since the introduction of the National Privacy Principles, the Office hasreceived a significant number of enquiries from organisations about theirobligations when asked to disclose data to law enforcement officers.

Options for reform

No changes to the law

Submissions do not call for changes to the NPPs in the law enforcementcontext. Generally, it appears the construction of the law is considered to bereasonable, but problems seem to arise in its application.It seems appropriate, therefore, not to change the law, but to focus on howthe law is understood and applied.

Greater awareness and education

If the law is considered to be appropriate, there is a need to consider whethergreater awareness and education is necessary to develop a betterunderstanding of how the NPPs are intended to work in the law enforcementcontext. This is a matter that has been demonstrated through the Review.

There appears to be a need for greater education on the circumstances ofpermissible disclosures of personal information by private sectororganisations to law enforcement bodies under the NPPs.

The Office could work with the law enforcement sector and relevant industrybodies to develop more practical guidance about personal informationhandling and law enforcement in the context of the NPPs. This would help tomake the Act work more effectively. For such work to be effective it wouldrequire additional resources for the Office.

7.8 Recommendation: Law enforcement

65. The Office will work with the law enforcement community, privatesector bodies and community representatives to develop more practicalguidance to assist private sector organisations to better understandtheir obligations under the Privacy Act in the context of lawenforcement activities.

7.9 Private investigation

Introduction

The private sector provisions seek to balance an individual’s right to privacywith other social interests that compete with privacy. The Office has beenmade aware for some time now that those involved in private investigationconsider that a number of social interests that their work furthers are beingimpeded by the private sector provisions of the Privacy Act. The privatesector provisions make no specific provisions for the activities of privateinvestigators.

What submissions say – issues

Work of private investigators

The Australian Institute of Private Detectives (AIPD) (38) commentsextensively on how the Privacy Act impacts on their functioning. It outlinesthe work of private investigators as being crucial in workers’ compensationand third party injury cases as well as commercial areas, such as processserving and debt collection and the repossession of goods and/or services. Itsays private detectives sometimes play a watchdog role in conductinginvestigations into the conduct of the authorities on the behalf of individuals.

Unequal access to information

The main concern expressed by the AIPD (38) is that private investigators areexcluded from the definition of ‘enforcement body’ in the Privacy Act. TheAIPD is concerned that enforcement bodies have access to information underNPP 2.1 that is denied to other organisations and individuals. The AIPDsubmits that this inequality in access to information could lead to inequalityand unfairness before the law.

The AIPD (38) refers extensively to legislation, Charters and Treaties fromaround the world in demonstrating that an individual has the right to haveequality before the law and a right to a fair trial[196]. The AIPD uses thesedocuments to substantiate its argument that private investigators should havethe same right of access to information as enforcement bodies. Thesubmission argues that the Privacy Act excludes private investigators andindividuals from being able to access information in order to prepareadequately for matters or potential matters before a court or tribunal. Thesubmission contends that because enforcement bodies can access thisinformation, private investigators and other individuals are at a disadvantagebefore courts and tribunals and this means there is inequality before the law.

The AIPD argues that, particularly in relation to criminal matters, if anindividual does not have the right to access information to adequately defendthemselves, that person has not been granted a fair trial.The AIPD argues that equality before the law is a constitutional right[197]. Itargues that the inequality in access to information caused by the Privacy Act,resulting in inequality before courts and tribunals means the Privacy Act isunconstitutional. The AIPD launched legal proceedings in the Federal Courtof Australia during March 2004 challenging the constitutional validity of thePrivacy Act. The Application stated that:

‘the Privacy Act is unconstitutional due to section 6(1) as it denies theright to access information in the public and private sectors to privateinvestigators acting on behalf of their clients for matters and potentialmatters before the courts and tribunals. It also denies ordinary citizensrepresenting themselves the same rights to access information in thepublic and private sectors for matters and potential matters before thecourts and tribunals’.

The AIPD later filed an amended Application claiming that the Office haddeclined to grant a Public Interest Determination under section 72(2) of theAct to authorise the disclosure of personal information by organisations to itsmembers for the purpose of investigating matters in relation to litigation orpotential litigation.

In November 2004 the case was dismissed on the grounds that the Courtlacked jurisdiction to grant relief, and costs were awarded to theCommonwealth.

Collection

One concern for private investigators could be the obligation to let individualsknow if a private investigator is collecting information about them under NPP1.3 and NPP 1.5. However, Information Sheet 18 ‘Taking Reasonable Stepsto Make Individuals Aware that Personal Information about Them is BeingCollected’, published by the Office, makes it clear that in some situations,many of which may apply to the work of private investigators, no steps willconstitute reasonable steps to notify. For example, the information sheetsays:

‘To investigate and confirm a suspicion of fraud or unlawful activity itwill often be necessary to collect information about an individual'sactivities without alerting them to the fact that information is beingcollected for this purpose. Raising awareness about this may give theindividual an opportunity to cover-up evidence of unlawful activity.There is a clear public interest in the detection of fraud and unlawfulactivity.

In the case of fraud investigation which is in the public interest, it willgenerally be reasonable not to take steps to ensure awareness of theNPP 1.3 matters at the time of collection, where:

fraud or other unlawful activity is suspected on reasonablegrounds

information being collected is necessary for the investigation ofthe suspected fraud or other unlawful activity and

there are sound reasons for concluding that providing notice ator before the time of collecting the information wouldsignificantly reduce the integrity and usefulness of theinformation.’

These circumstances arise where unlawful activity is being investigated.However, investigators may be investigating activity which is improper ratherthan unlawful; for example, misuse of employer resources, abuse of power orposition, or marital infidelity. Complying with NPP 1.3 or NPP 1.5 in thesecircumstances may impinge on the activities of private investigators.However, it is considerably less clear in these circumstances that the publicinterest in investigating possibly improper activity outweighs the individual andthe public interest in individuals being aware that they are under investigation.

Disclosure

The AIPD (38) submits that the activities of private investigators are severelyhampered by NPP 2. Its main concern is that NPP 2 prohibits organisationsfrom disclosing information to private investigators. The AIPD (38) arguesthat NPP 2 limits the ability of private investigators to have access to allinformation necessary to proceed before a court or tribunal. A similarargument is made by the Australian Collectors Association, Institute ofMercantile Agents, Australian Institute of Credit Management (Joint CreditIndustry) (115) in relation to debt collection. Their submission argues that thePrivacy Act impedes debt collection practice as credit providers are unable toaccess information about individuals that would enable them to investigatefraud or serve legal process.

The submission also raises concerns that the Privacy Act limits the ability ofcredit providers to access information that would assist in locating debtorswho have left their last known addresses even where the defaulters haveprovided express authority.

It is possible that, without consent, NPP 2 will impede the ability of privateinvestigators to collect information from organisations in these circumstances.The law enforcement exceptions to NPP 2, such as NPP (f) (g) and (h) do notapply to these situations.

Other legislation that impacts on private detectives

The AIPD (38) contends that the Privacy Act impacts on the ability of privatedetectives to access information needed to investigate fraud and other crime.However, there is other state and territory legislation and also privacy-relatedlegislation at the federal level that also has an impact on the ability of privatedetectives to have access to information. For example, state legislationprevents information about drivers’ licences from being disclosed. TheCommonwealth Electoral Act 1918 prevents private detectives from accessingthe electoral roll, except in hard copy. Some states also have privacylegislation which may prevent government agencies from disclosing personalinformation to private detectives. As a result, this issue must be seen asbroader than the Privacy Act.

Other views

The Australian Privacy Foundation (90) is concerned that the businessactivities of private detectives are significantly likely to be in violation of anindividual’s privacy. In criticising the small business exemption, the AustralianPrivacy Foundation (90) remarks that ‘some of the most privacy intrusiveactivities are carried out by small companies [such as] private detectives’.The core business of private detectives appears to involve collectinginformation about individuals without their consent upon the wish of a thirdparty client. There are public interest arguments in favour, therefore, ofregulating the activities of private detectives.

Private detectives and other jurisdictions

The Data Protection Act 1998 (UK) enables the disclosure of personalinformation in order to establish, exercise or defend legal rights. Privacyprovisions and practices in other jurisdictions do not appear to be significantlyout of step with the private sector provisions.

United Kingdom

Subsection 35(2) of the Data Protection Act 1998 (UK) provides an exemptionfrom the non-disclosure provisions where the disclosure is necessary:

(a) for the purpose of, or in connection with, any legal proceedings(including prospective legal proceedings) or

(b) for the purpose of obtaining legal advice, or is otherwise necessaryfor the purposes of establishing, exercising or defending legalrights.

New Zealand

Under the New Zealand Privacy Act 1993, Information Privacy Principles 2, 3,10 and 11 provide an exception where the agency collecting or holding theinformation believes on reasonable grounds that non-compliance isnecessary:

‘to avoid prejudice to the maintenance of the law by any public sectoragency, including the prevention, detection, investigation, prosecution,and punishment of offences’.

The exception refers only to ‘public sector agency’. Private investigators asprivate sector agencies would not, therefore, be able to rely on this exception.Discussion Paper No 8 states:

‘The words ‘public sector agency’ are included in the exception toensure that only agencies with a proper function connected with themaintenance of the law would be able to act in reliance on the section.For instance there was concern that if the exception was not limited inthis way that private investigators might rely on the exception to justifytheir actions[198].

Canada

The Personal Information Protection and Electronic Documents (PIPED) Act(2000, c. 5) does allow for information to be collected without consent wherethe knowledge or consent of the individual would compromise the availabilityor accuracy of the information, and where the collection is ‘reasonable forpurposes related to investigating a breach of an agreement or a contraventionof the laws of Canada or a province.’

The Canadian Privacy Commissioner expressed reservations, however, aboutgranting an entire industry or industry body status as an investigative body,particularly because this power may be abused by companies. According tothe Canadian Privacy Commissioner, private investigative work can beconducted without resorting to the provisions that allow for disclosures todesignated investigative bodies without consent[199]. Instead, the CanadianPrivacy Commissioner recommends that the Private investigator act as an‘agent’ of the company. If the client organisation has the consent of theindividual, this would then flow through to the investigator.

Options for Reform

Amend definition of enforcement body under section 6(1)

The AIPD considers that the way to even up the imbalance between theamount of information available to enforcement bodies (as defined in section6(1)) on one side and private detectives on the other is to amend the PrivacyAct to include private detectives in the definition of ‘enforcement body’. Thedefinition of ‘enforcement body’ could be amended to include ‘privateinvestigators in relation to matters before courts or tribunals’.

However, it is not clear that the public interest reasons for doing so outweighthe risks to the privacy of individuals. The fact that Parliament has found it inthe interests of the community for law enforcement agencies to have accessto information, does not necessarily mean that all others should have an equalright. Although some of the activities of private investigators may appear tobe similar to those of law enforcement agencies, particularly where they areacting on behalf of law enforcement agencies, or are carrying out activitiesthat might have been done by law enforcement agencies in the past forexample, investigating fraud, this is not the case for all of their activities.

Private investigators carry out investigations on behalf of third parties, whoare often private individuals. Law enforcement agencies carry outinvestigations on behalf of the state. Giving private investigators access topersonal information in this way could mean that they are carrying outinvestigations without the important scrutiny and accountability mechanismsthat law enforcement agencies are subject to.

Accountability

Private detectives licences are granted in New South Wales, Queensland,Victoria, South Australia and Western Australia under various pieces oflegislation[200]. Such licences can be cancelled if a private detective’s conductbreaches legislation. Members of the AIPD must also comply with theassociation’s Code of Ethics. According to the Joint Credit Industrysubmission (115), almost all members of the Institute of Mercantile Agentshold a commercial agent licence and a private inquiry agent licence.

Nevertheless, the laws and institutional bodies that regulate private detectivesare quite different to the conditions under which law enforcement agenciesoperate. For example, complaints against state or territory police forces thatconduct surveillance operations and collect individual’s personal informationcan be made to the state or territory ombudsman or the police complaintscommission.

Accountability mechanisms help to legitimise surveillance and reassure thecommunity that the negative impacts on privacy by law enforcement activitiesare minimal and warranted. Accordingly, the Privacy Commissioner hassuggested in submissions[201]and a recent speech[202]that new surveillance andlaw enforcement policies and initiatives that potentially violate privacy shouldbe balanced by accountability measures that ensure collection and disclosureof individual’s personal information is conducted with accountability and thatcollection is justified and proportional to the threat.

Private detectives can be distinguished from other enforcement bodies on thebasis that they are not accountable to the government or the community, orany accountability body such as an ombudsman who can investigatecomplaints and award compensation, in the same way that law enforcementagencies are. It would therefore be difficult to recommend private detectivesbe accorded similar access rights to personal information as law enforcementagencies as proposed by the AIPD.

On the other hand, the AIPD and the Joint Credit Industry raise some issuesrelating to the public interest that may merit further consideration. There is asocial interest in individuals being able to take effective action to recoverdebts owed to them, or to find a person who is at fault in a car accident. It isalso fair that individuals be able to prepare a defence case for courtproceedings. Where the balance lies however is not clear on the evidence sofar available to the Office.

Public Interest Determination

The Privacy Commissioner could issue a Public Interest Determinationenabling organisations to private detectives acting in specified circumstances.The PID process involves public consultation and could be a chance forstakeholders to provide views and information on where the balance in publicinterest lies. However, as discussed, the issues on access to personalinformation arise more broadly then the Privacy Act, and a PID would notnecessarily solve all the matters of concern to private investigators. It is alsothe case that even if actions were taken to allow organisations to disclosepersonal information to private investigators without consent, it cannot forceorganisations to do so.

This is a complex matter. There are many social policy issues involved in thisdebate and the wider community should have the opportunity to comment onthis issue. There are also a range of laws that have an impact on theactivities of private investigators. This would be a matter for state and territorygovernments.

It would therefore be preferable for the governments to consider this issue sothat there is a wider public debate with all relevant federal, state and territorystakeholders involved.

Private detectives acting as agents

For private investigators acting as agents of organisations such as insurancecompanies, it may be possible to gain consent to collect through theorganisation. The notice given by an insurance company, for instance, couldflow through to cover the investigator[203]. Insurance companies could makeindividuals aware of NPP 1.3 matters at the time a customer takes out aninsurance policy, or at the time the customer makes a claim. The notice couldinclude information about the general circumstances in which the insurermight engage a private investigation firm, the circumstances in which thecustomer could be subject to covert surveillance, what the information couldbe used for and to whom the information would be disclosed.

7.10 Recommendation: Privateinvestigations

66. The Australian Government, through the Attorney-General, shouldconsider requesting that the Standing Committee of Attorneys General(SCAG) consider the issues raised by the Australian Institute of PrivateDetectives as they are broader than the Privacy Act.

7.11 Alternative Dispute Resolution

Alternative Dispute Resolution

The National Alternative Dispute Resolution Council describes AlternativeDispute Resolution (ADR) as ‘processes, other than judicial determination, inwhich an impartial person (an ADR practitioner) assists those in a dispute toresolve the issues between them’. ADR schemes provide flexible andaffordable redress to consumers and small businesses against particularindustry sectors. ADR schemes operate under Commonwealth Benchmarks(1997 Benchmarks for Industry Based Customer Dispute ResolutionSchemes), Australian Securities and Investments Commission (ASIC),Corporations Act 2001, Telecommunications Act 1997 and theTelecommunications (Consumer Protection and Service Standard) Act 1999.

What submissions say – issues

Five ADR schemes (56) comment on the impact of the private sectorprovisions on ADR in a joint submission to the Review[204]. The schemesacknowledge the competing public interests of an individual’s rights to privacyand efficient and effective ADR schemes. The schemes argue thatcompliance with NPP 1 and NPP 2 may delay the processing of informationlargely because, unlike many organisations covered by the NPPs, ADRschemes are unable to determine in advance what information will becollected and therefore how it will be used or disclosed.

Third Party Information

Under NPP 1.5, where an organisation collects information about an individualfrom a third party, there is an obligation to take reasonable steps to inform theindividual about the collection, use and disclosure of the information. Relyingon advice from the Office that ‘reasonable steps to inform’ can include nosteps, the ADR schemes do not generally inform individuals of its collection,as this would breach confidentiality obligations. The joint submission statesthat the guidance provided by the Office through its information sheets hasbeen useful in interpreting the NPPs, and in particular NPP 1.3 and 1.5. Thesubmission raises concerns that this advice does not provide legislativeprotection. The schemes raise concerns that this policy advice has not beentested in the courts and are not enforceable. This is discussed in Chapter 4.

ADR schemes as self-regulatory agencies

The Office has issued advice that self-regulatory agencies such as theTelecommunications Industry Ombudsman (TIO) and Banking and FinancialServices Ombudsman (BFSO) are authorities to which an organisation mayreport unlawful activity under NPP 2.1(f)[205]. The joint ADR submission (56) isconcerned that the Privacy Act provides no clear authority, however, for suchinformation to be provided to or collected by ADR schemes in othercircumstances, for example, when they handle personal information that is notconnected to unlawful activity and would therefore appear to fall outside NPP2.1(f).

They say further, that despite the advice given by the Office, organisationshave refused to disclose information needed by ADR schemes to investigatea claim for fear that they would be in breach of the NPPs. The ADR schemessubmit that the application of the NPPs to ADR schemes is uncertain and thatthis uncertainty has impacted on the schemes’ efficiency and potentially ontheir effectiveness.

Sensitive Information

The ADR schemes (56) submit that many disputes brought to ADR schemesare from or about people with mental or physical illnesses. This is ofrelevance as determinations and negotiated settlements often take intoaccount health or other sensitive information about a disputant or otherindividual. While the submission notes that NPP 10.1(e) allows for collectionof sensitive information where the collection is necessary for theestablishment, exercise or defence of a legal or equitable claim, the ADRschemes contend that it is not always clear at the time of collection that thisexception will apply.

What submissions say – addressing the issues

Amend NPPs 1, 2 and 10

The ADR schemes (56) suggest that NPPs 1, 2 and 10 be amended toinclude an express exemption for ADR schemes. The submission declaresthat this will have no greater effect than formalising the policy advice alreadyprovided by the Office.

The submission requests that ADR schemes be specifically exempt from theNPP 1 requirement to inform individuals of collection where to do so wouldprejudice an obligation of privacy owed to a party to the dispute. Thesubmission also suggests amendment of NPP 2 to enable use by anddisclosure to ADR schemes for the purpose of dispute resolution. Finally, thesubmission suggests NPP 10.1(e) be amended to include as permittedpurposes, collection for the investigation and resolution of claims by ADRschemes.

Options for Reform

Amend NPPs

It appears that the NPPs may impact on the efficiency of ADR schemes. NPP2 could be amended to enable use by and disclosure to ADR schemes for thepurpose of dispute resolution. NPP 10.1(e) could also be amendedto enablecollection of sensitive information where it is necessary for the investigationand resolution of claims under ADR schemes. The Privacy Act would need todefine what schemes this amendment would apply to.

Amend definition of ‘law enforcement agency’

By amending the definition of law enforcement agency to include ADRschemes, ADR schemes may be given more freedom under NPP 2 than theyrequire to carry out their functions. As ADR schemes do not generally act aslaw enforcers, such an amendment would not appear to be appropriate.

Public Interest Determination

The Commissioner could make a Public Interest Determination under section72 of the Privacy Act that would exempt ADR schemes from the fullapplication of NPPs 1, 2 and 10. As the concerns reported by the ADRschemes are likely to be ongoing, amendment to the Privacy Act wouldprovide greater clarity in the law.

7.12 Recommendations: Alternativedispute resolution schemes

67. The Australian Government, in recognising the important role played byAlternative Dispute Resolution (ADR) schemes, and in an attempt toformalise advice already given by the Office, should consider:

amending NPP 2 to enable use and disclosure of personal informationto ADR schemes in the course of handling disputes

amending NPP 10 to enable collection of sensitive information where itis necessary for the investigation and resolution of claims under anADR scheme

defining the term ‘Alternative Dispute Resolution Scheme’ for thesepurposes in the Act.

7.13 Responding to large scaleemergencies

Introduction

The Terms of Reference to the Review ask to what degree the private sectorprovisions meet their objects whilst recognising that privacy must be balancedagainst a range of other community and business interests including thegeneral desirability of a free flow of information. The degree to which theNPPs meet this delicate balance was tested during the aftermath of thetsunami disaster in December 2004. In an attempt to locate missing familyand friends, many Australians contacted airlines to find out whether themissing had continued flying after the tsunami hit. Such information, which isreadily available to the airlines, if disclosed would normally appear to be abreach of NPP 2. The aftermath of the tsunami placed organisations in theposition of balancing the right of an individual to privacy while also having thecapacity to allay the fears of many relatives and friends of those missing.

Disclosure of personal information by airlines in situations such as presentedby the tsunami could therefore be in breach of NPP 2.

Law and policy

Privacy Act

NPP 2.1 provides limited circumstances where an organisation may disclosepersonal information. NPP 2.1 allows an organisation to disclose personalinformation in situations such as where the individual has consented (NPP2.1(b)), where the disclosure is a related secondary purpose and within theindividual’s reasonable expectations (NPP 2.1(a)) and where the disclosure isauthorised or required by or under law (NPP 2.1(g)). NPP 2.4 allows forpersonal information to be disclosed to a person who is responsible forcompassionate reasons, however, this relates only to health information heldby a health service provider.

Issues

The scale and gravity of large scale emergencies have tested the applicationof the Privacy Act and raised questions as to how privacy protection shouldoperate in such situations. The Privacy Act received criticism in the mediaafter the tsunami disaster for lacking commonsense and for being unable toanticipate and cope with the extent of the tsunami disaster[206].

What submissions say – addressing the issues

One submission (confidential) argued in favour of amending the NPPs toenable organisations to disclose personal information to agencies or lawenforcement bodies involved in coordinating the response in the event of anemergency or natural disaster.

Options for reform

Temporary public interest determination

Under section 80A, the Privacy Commissioner may make a Temporary PublicInterest Determination (TPID) if the Commissioner is satisfied that the act orpractice of an organisation breaches or may breach an NPP and the publicinterest in the organisation doing the act, or engaging in the practice,outweighs to a substantial degree the public interest in adhering to thatPrinciple.

A possible solution to the kind of situation created by the tsunami is for thePrivacy Act to be amended to enable the Privacy Commissioner to issue anemergency TPID. Once such a TPID is issued, disclosures that wouldordinarily breach the NPPs would not be in breach during the operation of theTPID.

Currently, in order for a TPID to be created, an application needs to be madeby an agency or organisation (section 73). Rather than requiring anorganisation or agency to apply for a TPID, it may be more practicable and inthe public interest for the Privacy Commissioner to issue a special emergencyTPID without an application in situations where the public interest clearlyoutweighs any invasion of privacy.

Amend NPP 2 – Disclosures on compassionate grounds

Another option may be to include an exception to NPP 2 which would allow fordisclosure based on compassionate reasons in times of national emergency.As noted above, NPP 2.4 enables a health service provider to disclosepersonal information to a ‘person responsible’ where the individual is unableto consent to the disclosure and the disclosure is made for compassionatereasons and is not contrary to any wish expressed by the individual.

Under NPP 2.4 a ‘responsible person’ includes a parent, child, sibling,spouse, guardian, power of attorney or person nominated by the individual tobe contacted in case of emergency. NPP 2.4 could form the basis of anexception to disclosure in times of national emergency.

Parliament may wish to consider whether there is a social interest in havingthis information available to a ‘person responsible’. The extent of suchdisclosure needs further analysis. Consideration needs to be given towhether there is a public interest in restricting such disclosure to immediatefamily or if information should be disclosed more broadly, for instance toextended family and friends of a missing person. Whether there is a publicinterest in the media having access to such information is another option to beconsidered.

Taking into consideration the trauma suffered by families and personsresponsible during times of national emergencies, it would be desirable toextend the definition of ‘person responsible’ to include those that familiesnominate to represent the family in times of trauma.

Amend NPP 2 – Disclosures in the Public Interest

Section 8(2) of the Canadian Privacy Act (R.S. 1985, c.P-21) states:

Subject to any other Act of Parliament, personal information under thecontrol of a government institution may be disclosed(m) for any purpose where, in the opinion of the head of the institution,

(i) the public interest in disclosure clearly outweighs any invasionof privacy that could result from the disclosure, or

If the Privacy Act were to have a similar section, it could clearly be invokedduring a large scale emergency such as the tsunami. This section does notlimit to whom the disclosure can be made. In adopting such as section,consideration would need to be given to whether such an exception isappropriate for information held by private sector organisations.

Involvement of government

Concerns about private organisations having to determine whether the publicinterest in disclosure outweighs the invasion of privacy could be addressed byinvolving government agencies such as the Department of Foreign Affairs andTrade (DFAT). DFAT has a high public profile in emergency situations andthe community has an expectation that it will co-ordinate efforts to locate andassist in times of national emergencies. One option is to give a governmentagency such as DFAT the authority to collect this information andsubsequently distribute the information to families and other appropriatepersons or organisations.

Define ‘national emergency’

After the Bali bombings on 12 October 2002, an emergency amendment toDivision 11A, Part 1D of the Crimes Act 1914 was made in order to assist inthe identification of victims of the bombings. The Division was also amendedto enable the Minister to make a declaration in the case of a nationalemergency or where Australians have died as a result of an incident occurringoverseas[207]. The Minister made a determination for the tsunami on 30December 2004[208].

The Privacy Act could refer to ‘incidents’ as determined by the Minister undersection 23YUF of the Crimes Act. Alternatively, the Privacy Act could beamended to include such a definition.

7.14 Recommendations: Large scaleemergencies

68. Privacy laws should take a common sense approach. There needs tobe an appropriate balance between the desirability of having a flow ofinformation and protecting individual’s right to privacy. In developingan exception to disclosure for cases of national emergencies,consideration should be given to the seriousness of the privacy breachversus that of protecting privacy.

In large scale emergencies, the consequences of disclosure should becompared to the consequences of non-disclosure. Consideration alsoneeds to be given to the potential identity fraud that may occur duringsuch a time, especially if disclosure is allowed to the media.

The Australian Government should consider:

amending NPP 2 to enable disclosure of personal information in times ofnational emergency to a ‘person responsible’

extending the NPP 2.5 definition of ‘person responsible’ to include aperson nominated by the family to act on behalf of the family

amending the Privacy Act to enable the Privacy Commissioner to make aTemporary Public Interest Determination without requiring an applicationfrom an organisation

defining ‘National Emergency’ as ‘incidents’ determined by the Ministerunder section 23YUF of the Crimes Act 1914.

8 New technologies

8.1 Developments

The NPPs were intended to be technology neutral to ensure that they wouldremain relevant despite technological change. The explanatory memorandumfor the private sector provisions says:

‘The speed at which electronic commerce is evolving and changingmakes it difficult for existing laws to be adapted. Any arrangementsthat are put in place need to provide an adequate and enforceable levelof security and protection of personal information, while being flexibleand technology-neutral so they can adjust to changing circumstancesand emerging technologies’.[209]

Since they were developed there have been some dramatic changes intechnology that have had a considerable impact on the ways that personalinformation can be collected, tracked, connected and disclosed.

Telecommunications and internet

In the telecommunications area, new mobile phone technology and RadioFrequency Identification (RFID)[210]technologies have emerged that canbecome means of tracking the movements of individuals or subjecting them tocovert surveillance. Other new technologies such as Electronic NumberMapping (ENUM)[211]and Voice over Internet Protocol (VoIP)[212]are alsoleading to much greater connectivity and global reach. This enables manymore organisations to have access to information about telephone numbers,including mobile phone numbers and related information. This may beunprotected by telecommunications legislation that has regulated telephonenumbers in a more conventional environment. Mobile phone cameras havealso become widely available. Much of this technology is available to, andused by, individuals as well as organisations.

An increasingly wide range of transactions are carried out online. The natureof such technology means that every transaction leaves a data trail that canpotentially be followed by someone else.

A research paper prepared for the Council of Europe in late 2004 on theapplication of data protection principles to the world wide telecommunicationsnetworks outlines a range of developments that mean that:

‘. . it has and will become more and more possible to record the detailsof all the individuals on our planet and this will be less and lessvisible.’[213]

Data aggregation and mining

Technology has also made it much easier to connect information, such as atelephone number, with an individual’s name or other contact information suchas a postal or email address. Also, people can be more easily contacted, forexample, by email, without the need for a name.

Media around America’s largest data miner ChoicePoint shows the breadth ofpersonal information that new technologies have allowed organisations tocollect and the indirect means by which they collect it. It also shows thevulnerability of these huge data warehouses and the privacy threats theypose.[214]ChoicePoint’s computers hold 19 billion data files that includenames, addresses, social security numbers, phone numbers, driver’slicences, car registrations, credit histories, birth certificates, real estate deeds,legal histories, fishing licences, military records, insurance claims,thumbprints, and DNA. It accumulated this information as a result of buying aseries of well targeted businesses. It attracted media attention when itbecame public that it sold information about 145,000 people to a personposing as several small-business owners who used the information to createfraudulent identities. Clients of ChoicePoint range from the boy scouts to theCIA.[215]

Biometrics

Another development is the increasing use of biometrics for identitymanagement. Biometric technologies are being used in a range of contexts inboth the public and the private sectors. For example, biometric technologiesin the private sector are being used or proposed for identification purposes inmethadone programs, taxi booking services, ATMs and online banking,access to buildings and many others.

Drivers for the use of biometric technology include the increasing power ofinformation technology, increasing remote communications requiringidentification and authentication, commercial and national security issues andincreasing interoperability between biometric systems and between biometricsand other systems.

The collection and use of biometric information has great potential tocontribute to the protection of personal information and identity, but it also hasthe potential to pose great privacy risks. Biometrics can be a powerfulidentifier. Whether it poses privacy risks depends on whether:

biometrics are used to accumulate or link large amounts of personalinformation in a central place

people have choice about whether to provide biometric information

biometrics are used to collect information covertly

there are procedures for when things go wrong and

there are built in protections against function creep.

Privacy risks are most likely to arise where individuals have no choice aboutthe use of the technology and the process lacks openness and accountability.

Electronic health records

Significant developments in the areas of e-health and electronic healthrecords have notable implications for privacy, including for the private healthsector.

A number of electronic health records systems are being developed at thelocal, regional and national levels. Some states are developing thesesystems, such as OACIS[216]in South Australia and Health e-link[217]in NewSouth Wales (formerly EHR*Net). At the national level, the HealthConnect[218]project aims to create a centralised system for managing information (insummary form) about individuals’ interactions with the health sector.

The Australian Government has also provided funding to help health serviceproviders (particularly general practices) obtain high-speed broadbandinternet connections. This will help facilitate their participation in initiativessuch as HealthConnect.

Role of technology in protecting privacy

There is a role for technology itself in protecting privacy, often called PrivacyEnhancing Technology or PETS. For example, a system can be built to allowanonymity, or it can be built in a way that identifies every step a user takes:

‘At the University of Chicago, it is possible for students, staff andadministrators to communicate anonymously. If one wants access tothe Internet, one can simply connect one’s computer to any Ethernetconnection jack located throughout the University. At Harvard,however, a machine cannot be connected unless it is registered, sothat all interactions with the network can be monitored and identifiedwith a particular machine, and probably a user.’[219]

Generally speaking, commentators see the use of PETs as a usefulcomplement to legislation, regulation and the education of individuals to takeprotecting action for themselves.

As currently framed, the private sector provisions do not impact on thosedeveloping new technologies because they generally are not handlingpersonal information in the process.

Issues

The issues paper raised the general question of whether the private sectorprovisions are adequate in protecting individual privacy in the light of thesedevelopments. It also raised particular issues including whether:

it is possible to maintain the technological neutrality of the provisions

the ability to identify individuals should remain as the focus for privacyprotection

the provisions should extend to the activities of individuals acting in theirprivate capacity and

confidence in privacy protection in new technologies is impedingcommerce in this area.

8.2 What submissions say – the issues

Support for technological neutrality

There is significant support in submissions for the concept of maintaining thetechnological neutrality of the NPPs to ensure that they remain relevantdespite technological change.[220]However the Australian CommunicationAuthority (94) says that given the rapid rate of change there is a need toperiodically review the adequacy of the NPPs on this point. Baycorp (86)says that its experience is that the neutrality of the NPPs supportstechnological change and while there is a need to examine the privacy impactof new technologies there should be no regulatory change unless it meetsvery stringent tests. Australian Business and Specialist Publishers (8)suggests that new technology does not necessarily mean privacy infringementand says that there should be no change until there is a proven problem.

Submissions are mixed however on whether the intrusiveness of a technologyis a privacy issue. For example, the Australian Direct Marketing Association(67) recognises:

‘the OFPC’s concern that some contact channels and technologies aremore intrusive than others – indeed, this is reflected in ADMA’s‘hierarchy on intrusion’ which recognises that the more invasive thecontact channel, the higher level of protection required. However,ADMA does not believe that this is a privacy issue – instead it is aboutuse of technology. . . . the purpose of the private sector provisions isnot to regulate how an organisation uses technologies or channels tocontact individuals, it is to regulate how an organisation handlespersonal information.’

Baycorp (86) says, in its experience, that regardless of the channels used tocontact individuals, businesses have remained focused on the individual’sright to privacy.

On the other hand, although it supports technological neutrality, Optus (98)considers that there are new and emerging technologies, such as VoIP and IPand Location Based Services that may provide new challenges for theprotection of Australian consumer information because the functionality thatthese services provide is more invasive.

In the case of VoIP, Optus (98) says that for the first time ever the Australianpublic will be able to access voice services from a provider that has nopresence or dealings in Australia. It raises the privacy issues associated withENUM registries operating in the VoIP environment, which will contain detailsof telephone numbers and IP addresses as well as possibly details of servicepreferences and settings for additional calling features. It recognises theimportance of having a suitable framework which the AustralianCommunications Authority has already begun to develop. It also warns thatlow cost services such as these should not mean less privacy protection andthat VoIP providers will need to be aware of the privacy of both originatorsand receivers of these types of calls. It is also concerned that neither thePrivacy Act nor the Telecommunications Act may cover VoIP providers thatare overseas and that there is a need to consider whether the Office has theability to ensure that overseas VoIP providers comply with the NPPs and toraise consumer awareness of these issues.

The Australian Consumers’ Association (15) considers that the Privacy Act isnot working because it cannot deal with the technologically specific risks ofcertain new technologies. It cites the examples of the Spam Act, and industrycodes such as the ACIF Short Message Service (SMS) code and the ADMAm-commerce codes as examples of this.

Gaps in the private sector provisions and new technology

Location based technology

The emergence of location-based technology, for example location basedservices for mobile phones, RFID or the Global Positioning System (GPS)capabilities of some mobile phones, was raised by a number of submitterswho suggest it may pose a challenge for privacy regulation[221]. The AustralianConsumers’ Association (15) argues that the current Privacy Act does notclearly establish consumer control over location information and challengesassumptions about how privacy and personal information inter-relate. It saysthat unless the individual controls the context in which the information isreleased, a business making an unsolicited locational approach will have ahigh probability of being inappropriate, intrusive and quite possibly offensive.

MCommerce

MCommerce (mobile commerce) may raise new privacy challenges, includingconsideration of the security of transactions. For example, sensitive financialinformation such as credit card details may be sent using unencrypted SMSmessages. The Australian Communications Authority (94) suggests thatconsideration be given to amending NPP 4.1 to state that service providersshould ensure the payment mechanisms they establish also protect thepersonal information of consumers.

Spyware

Spyware is another emerging technology submissions raise as havingsignificant privacy implications. The Australian Consumers’ Association (15)argues that consumers should have an enforceable right to know who iswatching them, and to make them stop if they do not like it unless the watcherhas some overriding authorisation such as a court order or warrant.

Another use of technology to ‘spy’ on others is the use of ‘scanners’ to listento radio communications by emergency services. The AustralianCommunications Authority (94) notes that it has received complaintsregarding the use of scanners to listen to police frequencies where theinformation obtained is then used inappropriately. In many cases this sort ofincident would not covered by the Privacy Act because it is carried out byindividuals in their personal capacity, and because it may not result incollection of information for inclusion in a record.

The Department of Communications, Information Technology and the Arts(DCITA) released the results of a legislative review into the coverage ofexisting laws regulating spyware in March 2005[222]. It found that the mostserious and malicious uses of spyware are already covered by existinglegislation. DCITA is planning to undertake public consultation on spyware inMay of this year.

Health issues

A number of submissions are concerned that the NPPs may not adequatelykeep pace with the use of new technology in the management of healthinformation in the health sector, such as through electronic health recordssystems.

The Australian Physiotherapy Association (37) says that with greater use ofelectronic methods of information transfer, there comes a need for greaterlevels of awareness about how to protect health and other personalinformation.

The Pharmacy Guild of Australia (93) is concerned that the NPPs may not beadequate for these new systems, including because they can create moreavenues for the transfer of health information to more organisations.Similarly, the Australian Federation of AIDS Organisations Inc (54) submittedthat ‘electronic sharing of health information raises the potential for sharing ofinformation across a wide network and consumers may feel that they quicklylose control of who has access to their records’.

Also, the Australian Government Department of Health and Ageing (99)noted:

‘as personal information becomes more widely dispersed and stored onlarger databases, it may potentially become more difficult for anindividual to control the flow and exchange of personal informationunless proper privacy safeguards are built in from the outset.’

The Department of Health and Ageing (99) also expresses concerns aboutprivacy protection where an e-health website, used by a consumer, is locatedoverseas.

Other gaps arising from new technology

Xamax Consultancy (3) says that the private sector provisions fail to addressthe greatly heightened privacy-invasiveness, and the new technologicalthreats, that has been a feature of the 25 years since the promulgation of theOECD guidelines in 1980 on which the NPPs are based. These include thatthey do not:

provide individuals with control over ‘their’ identification and authenticationtokens (such as chip-cards and digital signature keys)

provide the necessary tight regulatory regime over the use of biometrics

address rampant surveillance technologies, or force corporations toachieve balance between their desires and those of individuals

impose a responsibility to ensure that an automated decision that isadverse to the interests of a consumer is subject to review by a humanbeing before being communicated or implemented.

Activities of private individuals

Individuals now have greater access to a wide range of technologies that canhave considerable potential to be privacy invasive.

However, there does not appear to be a great deal of support fromsubmissions, or in consultations, for changing the Privacy Act so that it coversthe activities of private individuals in their personal capacity. For example, theAustralian Consumers’ Association (15) says that controlling individualbehaviour is best left to social norms backed by general or specific laws.

On the other hand, the Australian Communications Authority (94) says it hasreceived complaints regarding the use of scanners by individuals in theirprivate capacity to listen to police frequencies where the information obtainedis then used inappropriately. It supports further consideration being given tohow to address the issue of protecting invasions of individual privacy byindividuals acting in their private capacity.

Definition of personal information

The changing nature of technology also raises the issues of whether thedefinition of personal information adequately covers the activities that mightbe considered to be privacy invasive in this new environment.

Concern about changing definition

A number of submissions are not in favour of changing the definition ofpersonal information[223]. The costs associated with change are an issue[224].Vodafone (112) says that maintaining consistency with privacy regimes in theUnited Kingdom and Ireland is another reason for no change to the definition.Coles Myer (60) says:

‘We accept the proposition of some privacy and consumer advocatesthat this principles-based approach can lead to uncertainty from aconsumer perspective. It is true that two similar fact scenarios maylead to different privacy outcomes depending on whether or not anindividual can be identified. Coles Myer does not believe this is ashort-coming of the Act. Instead, it requires each situation to beassessed on its individual merits rather than a blanket rule to beapplied. This is the appropriate analysis given the Act’s concerns toprotect individual rights, rather than public rights in general.’

An example of when similar fact scenarios may lead to different outcomes israised by the Department of Health and Ageing (99). The Department saysthat the move toward personalising the provision of health information onlineraises questions about whether the advice provided by an ehealth siteamounts to ‘treatment’ rather than preventative information or promotion. Ifthe site is providing treatment, then they become a health service provider. Itasks the question in relation to consumers using such services:

‘. . . if they are receiving ‘online treatment’ through a fully automatedCBT [Computer Based Treatment] intervention are they entitled to thesame legal rights and protection as a consumer receiving CBT in theGP surgery, including privacy rights?’

It suggests that the answer to this question may depend on whether the emailaddress used by the individual accessing such sites can be characterised aspersonal information.

In relation to the issue of whether the ‘ability to contact’ an individual shouldform part of the focus of privacy protection, Baycorp (86) says it is mindful thatwhen first enunciated, the right to privacy was expressed as a ‘right to be letalone’. Further it says:

‘But as the information economy has been developed, it has becomevery clear that the principal means that value is created in thateconomy is by the association of previously disparate elements ofinformation. Much of that data relates to individuals. Accordingly,Australia, like other jurisdictions, has restricted its privacy regulation intwo important ways:

it does not confer an absolute or presumed right to anonymity

it is limited to the individual’s rights over the collection and use ofpersonal information.

These restrictions in scope are fundamental to an enablingtechnologically neutral environment. Without them, the privacy regimecould easily inhibit the development of an information economy inAustralia.’

Baycorp goes on to say that any proposal to extend the scope of privacyregulation to include the ‘right to be let alone’, should only carried out if itmeets stringent tests which establish both serious harm and the absence ofany alternative, non-regulatory response. It says the current examples do notmeet this test.

Concerns about current definition of personal information

On the other hand, other submissions[225]identify a number of issues relatingto the current definition of personal information which might support a need tomove privacy protection away from the current concept of identification, asrepresented in the privacy framework.

The Australian Communications Authority (94) recognises that although thePrivacy Commissioner generally does not consider that mobile telephonenumbers and ‘generic’ email addresses which do not clearly identify anindividual are ‘personal information’, it has been the AustralianCommunication Authority’s experience in enforcing the Spam Act thatindividuals affected by spam regard their telephone numbers and emailaddresses as personal information and the receipt of spam as a violation ofindividual privacy.

The Australian Communications Authority (94) goes on to say that:

‘While individuals may move away from traditional identifiers, the newprotocols such as email addresses, avatars and internet bankingpasswords may be no less indicative of identity. As lives areincreasingly led ‘online’, identifiers may not bear a resemblance totraditional physical concepts of identity.’

The Communications Law Centre (72) says that the narrow definition ofpersonal information is a key problem, as it allows organisations in the onlineworld to create user profiles that monitor and keep track of individuals’ habitsand interests but that are not regulated by the NPPs. Electronic FrontiersAustralia (51) supports this view:

‘On the internet, it is not necessary for businesses or any other onlineservice to be able to reasonably ascertain the actual identity of anindividual, in order to build a profile about them. All that is necessary isa sufficiently unique identifier. Such identifiers (and profiles) may bedisclosed to other entities who are able to connect a ‘cyberspace’identifier with a name or other “real-world” identifier.’

Confidence in privacy protection

Few submissions comment on the question of the level of communityconfidence in the online environment, or the reasons behind this. Telstra(110) says that if confidence is undermined, raising awareness is the answer.However, several other submissions suggest that the low level of trust ofindividuals in internet companies is probably justified and that encouraging thecommunity to think otherwise would be misleading. Electronic FrontiersAustralia (51) says:

‘The fact is that, under existing Australian law, individuals have almostno privacy “rights” in the online environment and even the few rightsthey allegedly have are not protected adequately and are difficult,sometimes impossible, to have enforced. The lack of rights arises froma combination of factors, including but not limited to, uncertaintyregarding the definition of “personal information”; no requirement toobtain consent before collecting personal information; use of bundled“consents” including to disclose information to unspecified “partners”;the small business exemption; and/or technological developments.’

The Australian Consumers’ Association (15) and Electronic Frontiers Australia(51) suggest that an important way to encourage community confidencewould be for the Office to take more vigorous and apparent enforcementaction.

8.3 What submissions say – addressing theissues

Addressing new technology generally

Special legislation

During consultations it was recognised by many that the NPPs will not alwaysbe able to deal with every privacy invasive situation. However, in general,there was a view that in this case, it was better to deal with it in speciallegislation, rather than amend the NPPs. For example, Telstra (110) says:

‘If existing privacy laws are found to be lacking with respect to theapplication of a particular technology, then it is better to deal with therelevant issue in specific legislation rather than by amending thegeneral principles in the NPPs. Telstra notes that this was theapproach adopted to address the issue of unsolicited electroniccommunications by the Commonwealth Government (i.e. throughintroduction of the Spam Act). The NPPs are intended to provide a setof general guiding principles rather than exhaustive legislation onprivacy issues.’

Nonetheless there is also concern that if channel/technology specificlegislation is developed by government, that the Office should play a moreactive role in ensuring that such legislation reflects both the definitionrequirements of the NPPs and does not introduce conflicting obligations onbusiness[226]. Others are less sure that specific legislation is necessarilyalways appropriate[227].

Enforceable national guidelines

Coles Myer (60) suggests that one way to deal with any failings in the nationalapproach to technology would be to have enforceable national guidelines oran industry code applying horizontally to certain issues. In this vein, theAustralian Retailers Association (111) is developing an RFID consumer codewhich specifically mentions and operates in accordance with the NPPsbecause the NPPs cover the applications of the technology regardless andcannot be negated. It agrees with ADMA that it is the information thatmatters, not the technology.

Office to engage broadly with the community

Vodafone (112) believes that the best approach to addressing issues relatingto new telecommunications technologies is for the Office to support theregulatory principles of technology neutrality and to engage broadly with thetelecommunications industry and relevant authorities.

Addressing issues about health records

Specific regulation for electronic health records

In response to the challenges they raise for the NPPs, a number ofsubmissions suggest there should be specific privacy protection for electronichealth records.[228]

The Australian Nursing Federation (127) submits that national standardsshould be developed specifically for electronic health records, and that theseshould complement privacy. It argues that technologically neutral privacyprinciples or legislation could leave consumers at risk.

The Australian Federation of AIDS Organisations (54) proposes that specificprovisions be inserted into the Privacy Act to guarantee that consumers havea choice of voluntary participation in such systems. Also, these provisionsshould require health service providers to inform consumers of their rightswhen participating in such systems.

The Australian Medical Association (29) says there should be strongerprovisions in the law and greater resources at the federal level to preventcorporate misconduct around the on-selling of health information. Forexample, it questions whether ‘so-called’ de-identified data is genuinelyde-identified, or how easily it can be re-identified.

A number of submissions stated that the Privacy Commissioner should berepresented on key, national e-health forums, including HealthConnectandthe National e-Health Transition Authority[229].

Consistent regulation for electronic health records

Submissions state that the multiple sources of privacy regulation in Australiapose challenges for a national electronic health records system. For example,the Department of Health and Ageing (99) describes the current regulatoryenvironment as a ‘patchwork’, which ‘creates major problems for the future ofnational e-health initiatives’.

However, one submission says that prescribing privacy protections into lawfor HealthConnectmay prove problematic when information is shared withother health records systems. Prescribed protections for the respectivesystems need to be consistent for their interoperability to be successful.[230]

The consistent implementation of a National Health Privacy Code (seeChapter 2) across all jurisdictions could provide baseline conformance inprivacy protection in this area. However, any specific legislation governingthe operation of electronic health records systems also needs to be consistentacross all systems.

Change to definition of personal information

To address the issue of use of identifiers to profile individuals and thenconnect the profile to a name, Electronic Frontiers Australia (51) says that thedefinition of personal information must be extended to cover identifiersirrespective of whether it is obvious to the collector or discloser that anindividual’s identity can reasonably be ascertained from that identifier andwhether or not an individual can be contacted by use of that identifier. Itrecommends that the definition of personal information in the Privacy Act beextended to include wording such as:

‘Any information which enables interactions with an individual on apersonalised basis, or enables tracking or monitoring or an individual’sactivities and/or communication patterns, or enables an individual to becontacted’.

The Australian Privacy Foundation (90) supports an ‘ability to contact’ testperhaps by adding wording along the lines of ‘ “. . . or information sufficient toallow communications with a person”, that is, whether or not it is sufficient toallow the person to be identified.’

On the other hand, a number of submissions favour making no change at all,or only if there is clear evidence of a need which cannot be addressed in otherways[231].

Senate inquiry

On 9 December 2004 the Senate referred a number of matters relating to thePrivacy Act to the Senate Legal and Constitutional References Committee.The terms of reference include that the Committee is to look at ‘the capacity ofthe current legislative regime to respond to new and emerging technologieswhich have implications for privacy’. The terms specifically refer to smart cardtechnology, biometric imaging data, genetic testing and microchips that canbe implanted in human beings.

There may be information relating to new technology presented in the Senateinquiry that may be relevant to this, and any subsequent wider inquiry into thePrivacy Act.

8.4 Options for reform

Maintain technological neutrality of the NPPs

NPPs may not be technologically neutral

Submissions generally support maintaining technological neutrality for theNPPs. There are strong arguments for doing this. Unless neutrality ismaintained, the NPPs would need constant change to accommodate everynew technology. Legislative change could not keep up with this. It would alsomake the NPPs more prescriptive.

However, submissions received and also work that is taking place globallyindicate that the NPPs as they currently stand may not in fact betechnologically neutral. They are based, with some modifications, on theOECD principles that were developed during the 1970s when the electronicand telecommunications environment was vastly different from what it is now.In particular, the NPPs do not appear to have been developed with the onlineenvironment in mind. For example, there do not appear to be provisionswhich take into account the identifiers used in the online environment(resulting from packet switching rather than circuit switching) and the usesthat can be made of them to track the transactions of an individual. Theprovisions do not take into account the different approach to identityauthentication required in the online environment.

Also, the NPPs rely on people making informed choices about whether, andhow much, information about themselves they hand over. In the onlineenvironment, people may have very little knowledge or choice about some of

the data trails they leave. On the other hand, gaining an individual’s consentto some specific activities in relation to personal information is much easierthan in the paper based environment.

As online and electronic interaction becomes increasingly a key part ofpeople’s lives, it becomes more difficult to argue that privacy principles that donot take into account these realities are technologically neutral.

EU research

Support for this view can be found in research carried out for the Council ofEurope which states:

‘The advent of the Internet has created a need for a third generation ofdata protection regulations’[232].

This suggests that there may be a need for new NPPs to accommodate theserealities. For example, there may be a need for organisations to give peoplechoice about the kind of identity authentication that they are to use, or theremay be a need for organisations to only engage in profiling activity if theyhave the consent of the individual.

Issue is complex

These are complex issues that have not been researched or canvassed fullyin the course of this review. Any change in the NPPs should only be doneafter appropriate consultation with stakeholders. This may best be done inthe context of a wider review of the Privacy Act.

Change definition of personal information

Adding new NPPs to the private sector provisions may address some of theemerging privacy challenges of new technology. However, it appears that thecurrent definition of ‘personal information’ may be an impediment to the abilityof the private sector provisions to address these challenges.

Whether or not a person’s identity can be reasonably ascertained frominformation is becoming difficult to determine. With the advent of newtechnologies it is increasingly difficult to conclude that information that mayappear to be de-identified, or not identified can never be connected with a realperson. There is evidence that information about people is increasingly usedto make contact with people in ways that people find privacy invasive even if itcannot necessarily lead to the physical location of individual or their actualname (for example, email). It is also being used to profile individuals.

As the Council of Europe research suggests:

‘New technology makes it increasingly possible to process data relatingto individuals not, as was traditionally the case, through data relating totheir legal identity, such as name and address, but via an anchor pointor even an object (so-called ambient intelligence) associated with it.This means that the danger often no longer resides in the collection ofpersonal data as such but in the subsequent application of abstractprofiles to individuals.’[233]

The European research report says that it is clear that the ConsultativeCommittee will have to work with the concept of personal data. It concludes:

‘A definition of personal data based on undefined and indefinablenotion of identity and the pendant concept of anonymity is ambiguousand not directly workable. From the practical point of view, it would bebetter to refer to biographical data, identifiers linked to individuals or toterminal (indeed objects), and points of contact.’[234]

Changing the definition of personal information would be a major step andcould have major implications for business. Once again, it is a complexmatter and requires research and consultation. For example, the UKInformation Commissioner recently commissioned research on the issue of‘What are personal data?’[235]This could be a matter appropriate for a widerreview of the Privacy Act.

Issue guidance on definition of personal information

The Office could issue further guidance consistent with existing law on what ispersonal information which takes into account the fact that in the currentenvironment, it is more difficult to assume that any information about peoplecannot be connected. It is not clear that this would solve the ‘ability tocontact’ issue.

Specific legislation for electronic health records

The benefits are attractive, but the privacy risks posed by electronic healthrecords systems could be high due to the capacity of such systems to linkhighly sensitive information and to make it more widely accessible. If thingsgo wrong with such a system, the implications could be severe.

The security and governance arrangements for these systems need to beassured. Also, individuals who choose to take part in these systems need toretain adequate control over how their information is handled.

Therefore, as well as having a national standard for protecting the handling ofhealth information (that is, a consistently enacted National Health PrivacyCode), there appears to be a need for specific enabling legislation forelectronic health records systems generally. This is the case particularly foran overarching national (or enabling) system, such as HealthConnect.[236]

Process to address global issues

The advent of new technology has added urgency to the need to take a globalapproach to privacy protection. The Government should initiate discussionsabout how to deal with major jurisdictional issues arising from the global reachof new technologies such as VoIP. There needs to be a globally consistentapproach to new technologies in these areas and a chance for individuals tohave recourse if their information is inappropriately used. The consequenceof not having a globally consistent approach is that information may end up inthe country with the lowest privacy protection standards.

Power to initiate binding codes

The Office could make use (when necessary) of any new powers to initiatebinding codes (see recommendation 7) to deal with technologically specificsituations.

This would enable the Government and the Office, where appropriate, torespond quickly to emerging privacy issues in the area of new technologies.However, there are considerations to be addressed including, unless theNPPs are updated, could a code deal with areas not necessarily covered bythe NPPs, for example, use of identifiers or profiling.

Promote privacy impact assessments and privacy enhancingtechnologies

Protecting privacy in the face of rapidly developing new technologies requiresa range of strategies.

There could be a greater role for the Privacy Commissioner to raiseawareness among those developing new technologies about the need to buildin privacy and the considerations that need to be taken into account so thattechnology is developed in a way that is privacy enhancing rather than privacyinvasive.

One way that is increasingly being used to assess and avoid the privacy risksinherent in many large scale projects involving new technologies is to conductprivacy impact assessments.[237]The Office is developing privacy impactassessment guidelines for public sector agencies. This approach could alsobe applicable in the private sector.

The Office could encourage technology developers and implementers toconduct a privacy impact assessment for large scale high privacy riskprojects. A wider review of the Privacy Act could consider the question ofwhether the Privacy Act should include provisions which provide for a privacyimpact assessment to be carried out in specified circumstances.

Review definition of personal information and need to updatemodel to take into account new technology

Some of these issues are complex and need more detailed consideration.One approach is to deal with most of the above by including it as part of awider review of the Privacy Act.

8.5 Recommendations: New technologies

69. The Australian Government should consider, in the context of a widerreview of the Privacy Act (see recommendation 1) reviewing theNational Privacy Principles and the definition of personal information toassess whether they remain relevant in the light of technologicaldevelopments since the OECD principles were developed. This shouldensure that the private sector provisions remain technologically neutralandrelevant to protect data privacy in the main contexts in whichinformation about people is currently collected, used and disclosed.

70. The Australian Government should consider initiating discussionsthrough appropriate international forums about how to deal with majorinternational jurisdictional issues arising from global reach of newtechnologies such as Voice over Internet Protocol (VoIP).

71. The Australian Government should consider developing specificenabling legislation to underpin any national electronic health recordssystem. The legislation should be consistent with the National HealthPrivacy Code, but also include enhancing protections for matters suchas the voluntariness of the system and limitations upon the uses ofpeople’s health records.

72. The Office will issue further guidance, consistent with the current law,on what is personal information which takes into account the fact that inthe current environment it is more difficult to assume that anyinformation about people cannot be connected.

73. The Office could use, if necessary, any new powers to develop bindingcodes (see recommendation 7) to deal with technologically specificsituations.

9 Clarifying how the National PrivacyPrinciples work

9.1 NPP 1.3(d)

Law and Policy

NPP 1.3 sets out an organisation’s obligations to provide notice to anindividual when collecting personal information from them.

The principle requires an organisation to take reasonable steps to give noticeto the individual about a number of things, including the identity of theorganisation, the fact that the individual can gain access to their informationand why the organisation is collecting their information.

More specifically, NPP 1.3(d) requires an organisation to advise the individualabout likely disclosures of their personal information to other organisations.

The issue

In the course of providing advice and guidance on the operation of the PrivacyAct, the Office has found what appears to be an unintended gap inNPP 1.3(d). While this issue has not been raised in the review process, andappears to have been generally non-contentious, this can create uncertaintyabout how the principle operates.

The principle states that a collecting organisation must give notice to theindividual about certain likely disclosures: these must be ‘usual’ disclosuresand they must be to ‘organisations’. The complexity arises in the use of theterm ‘organisation’ within the principle.

A general reading would suggest that the individual should be told about anyentities or individuals to whom their personal information is likely to be givenby the organisation collecting their information. This is consistent with thegeneral intent of openness and transparency promoted by NPP 1.3.

However, the term ‘organisation’ has a specific and more limited meaningwithin the Privacy Act. Under section 6C, this term excludes such entities assmall business operators, political parties and state or territory authorities.Instead, it defines which entities (or ‘organisations’) are covered by the private sector provisions.

If interpreted strictly, the principle could mean that an organisation collectingpersonal information would need to tell an individual about likely disclosuresof their information only in respect of private sector businesses to which theprivate sector privacy provisions apply. They would not have to tell theperson about likely disclosures to Australian Government, state and localgovernment agencies, private individuals or other entities such as smallbusiness operators.

This distinction seems to be inconsistent with the policy intent of thelegislation. The Explanatory Memorandum in relation to this principleindicates that this distinction was not intended, when it says:

‘In relation to the requirement in 1.3(d) to tell the individual about thetypes of organisations to which the organisation usually disclosesinformation of the kind collected from the individual: ‘Reasonablesteps’, in this context, means giving generic descriptions of sets oforganisations (for example, ‘debt collectors’ or State Governmentlicensing authorities’ or ‘health insurers’)[238].

The mention of state government licensing authorities, which do not fall withinthe definition of ‘organisation’ in the Privacy Act, indicates that a collectingorganisation should tell the individual about disclosures to a far broader rangeof entities than ‘other organisations’.

Options for Reform

Amend NPP 1.3(d)

To provide greater certainty to business and individuals, and to ensuredelivery of the policy intent of the principle, NPP 1.3(d) could be amended.The principle could be revised to make clear that a collecting organisationmust take reasonable steps to notify an individual of likely disclosuresgenerally, whether these disclosures are to other ‘organisations’, to publicsector agencies of the Australian Government or state or local governments,to other bodies or to private individuals.

No change

This issue did not figure in submissions and has been identified through theOffice’s practice and experience in regulating with the NPPs. One option is tofurther monitor any issues that may arise with a view to addressing them later,if needed. However, this approach would mean that a known and unexpecteduncertainty in the law, for which the policy intent appears clear, would not beresolved in a timely fashion.

9.2 Recommendation: NPP 1.3(d)

74. The Australian Government should consider amending NPP 1.3(d) tomake clear that an organisation collecting personal information from anindividual must take reasonable steps to notify them of likelydisclosures generally, including to public sector agencies of theAustralian Government, state or local governments, other bodies andprivate individuals.

9.3 NPP 1.3 and 1.5 – ‘reasonable steps’

Law and Policy

Under NPP 1.3 and NPP 1.5 an organisation collecting personal informationfrom an individual, or from another source about the individual, must take‘reasonable steps’ to ensure they are made aware of certain matters.

The issue

In the course of providing advice and guidance to business on the operationof the Privacy Act, the Office has identified some uncertainty about how theseprinciples operate.

It is unclear whether an organisation can determine that, in somecircumstances, taking no steps to provide notice to an individual is in itselfreasonable. A number of organisations have raised circumstances with theOffice in which it seems reasonable for them not to provide notice.

Therefore, the Office issued an information sheet[239]to clarify where it may bereasonable to take no steps to provide notice. For example, this may bewhere significant cost or difficulty is involved in contacting a third party whoseinformation has been collected incidentally, where a health service providercollects information about family members of an individual for inclusion in theperson’s medical, social or family history, or in many circumstances where theinformation is collected from a public source.

However, the Law Council of Australia (36), while commending the guidancegiven by the Office about NPP 1.5, raises concerns that, without anamendment, a court may interpret the principle more narrowly. The LawCouncil of Australia suggests that the principles should make clear that insome circumstances taking no steps to provide notice would be reasonable incomplying with the requirements in NPP 1.3 and NPP 1.5.

Options for Reform

Amend NPP 1.3 and NPP 1.5

To provide greater certainty to business and individuals, NPP 1.3 andNPP 1.5 could be amended to make clear that there are situations wheretaking no steps to provide notice to an individual will be reasonable.

This approach would ensure consistency between the legislation and theguidance provided by the Privacy Commissioner. This would not involve anychange in business practice, and would create greater certainty. Thisapproach may also assist in reducing the length of privacy notices.

No change

While this was not a high-profile issue in submissions, it was identified andhas been a matter of significant discussion between the Office and a range ofbusinesses over past years. Therefore, while one option would be to monitorthe issue further, this would mean that a known uncertainty in the law is notresolved in a timely fashion.

9.4 Recommendation: Reasonable steps forNPP 1.3 and 1.5

75 The Australian Government should consider amending NPP 1.3 andNPP 1.5 to make clear that there are situations in which the reasonablesteps an organisation might take to provide notice to an individual mayequate to no steps.

75.1 NPP 1.5 – collection from ‘someone’ else

Law and Policy

NPP 1.5 requires an organisation to take reasonable steps to notify anindividual if it collects personal information about them from someone else.

The issue

In the course of providing advice and guidance on the operation of the PrivacyAct, the Office has identified some uncertainty about how this principleoperates.

NPP 1.5 applies to the indirect collection of personal information from others,such as other individuals or businesses. However, there is uncertainty aboutwhether it applies to collection from another source such as a newspaper or abook, a court report, or a CD produced by a company.

There are good policy reasons why the notice obligations in NPP 1.5 shouldapply to an organisation in some circumstances when it collects personalinformation from these kinds of sources. For instance, the source maycontain sensitive information about the individual, which could be connectedwith other information or decisions relating to the individual. If they are notadvised about the collection, this could occur and have a significant impact onthe person’s life without his or her knowledge.

The Office developed, consulted widely upon and issued an informationsheet, which interprets NPP 1.5 as applying an organisation’s noticeobligations (where to do so is reasonable) to these sources, as well as tocollection from other individuals, or organisations and agencies.[240]Theinformation sheet has gained widespread acceptance.

Options for Reform

Amend NPP 1.5

To give greater certainty to business and individuals, NPP 1.5 could beamended to make clear that an organisation has notice obligations whencollecting personal information indirectly (that is, not from the individual) fromany source (and not just a person, organisation or agency), where providingsuch notice is reasonable.

This would clarify and give certainty to the law in line with the informationsheet and guidance issued by the Office. In this regard, there has been a callfor the Office’s guidance material to provide greater legal certainty. The LawCouncil of Australia (36) suggests that the Privacy Act could be amended sothat in the context of a matter going before a court, if an organisation hasrelied upon the Office’s guidance this will be seen by the court as persuasive.

Amending NPP 1.5 would, in effect, bring similar certainty to the Office’sinterpretation and regulation of this principle, and would not further impact oncurrent business practice.

No change

While this was not a high-profile issue in submissions, it has been a matter ofsignificant discussion between the Office and a range of businesses over pastyears. Therefore, while one option would be to monitor the issue further, thiswould mean that a known uncertainty in the law is not resolved in a timelyfashion.

75.2 Recommendation: NPP 1.5 – ‘Someone’

76. The Australian Government should consider amending NPP 1.5 toremove the term ‘someone’, and to make clear that an organisation hasan obligation to take reasonable steps to provide notice to an individualwhen collecting their personal information indirectly, from any source.

75.3 NPP 2 – primary purpose and thecollection of health information

Background

NPP 2 regulates the use and disclosure of personal information. It providesthat uses or disclosures of personal information are limited to the purpose forwhich the information was initially collected (the ‘primary purpose’), unless aprescribed exception applies. There are a range of exceptions to this generalrule.

The exception at NPP 2.1(a) provides that health information can be used ordisclosed for another purpose where this is directly related to the primarypurpose and the individual would reasonably expect the use or disclosure.

Law and Policy

Since the introduction of the private sector provisions of the Privacy Act, theOffice has interpreted the primary purpose of collecting health information bya health service provider in the health care context as the main or dominantreason the individual is seeking assessment, treatment or care.

There is an intentionally close relationship between the primary purpose andthe directly related purpose provisions at NPP 2.1(a), which in this contextmeans that with open communication between a health service provider andan individual (something to be expected in the delivery of quality health care),a holistic approach to care can be agreed either explicitly or implicitly. Inother words, where the individual expects their health information to be usedin the delivery of health care to them in a holistic manner, it is permissibleunder NPP 2.

In implementing the NPPs, the Office has noted the health sector’s history ofconfidentiality; a duty incumbent upon health professionals as part of theirfiduciary duty to individuals who are their patients or clients. While privacyobligations are broader than is a health professional’s duty of confidentiality,the latter builds upon the former. In that regard, there is good reason toexpect that health professionals, and the services they work in, ought to bepractised in appropriately managing the information of their patients and inrespecting their wishes. The policy underpinning the NPPs anticipates thenature of this special relationship.

Accordingly, to date the Office has considered that the dynamic relationshipwithin NPP 2 between primary purpose, directly-related secondary purposesand the test of meeting the individual’s reasonable expectations seeks toreflect the complex, dynamic and sometimes shifting relationships thatpatients and health care providers enjoy.

In this manner, the principle can permit a holistic approach to the handling ofhealth information as part of holistic care to most individuals most of the time,and where this is what they expect. However, it also leaves room fornegotiation of information-handling within alternate care arrangements forthose with this need.

What submissions say – issues

A number of submissions argue against defining the primary purpose ofcollection on an episodic basis.[241]These submissions suggest that thecurrent understanding of ‘primary purpose’ in the health context is too narrow.

The Mental Health Privacy Coalition (58) submits that:

‘modern health practice favours an approach to healthcare, which isholistic. An holistic approach to healthcare encompasses the idea oftaking into account the past experiences and healthcare history of aparticular person, and trying to project into the future their likelyhealthcare needs.’

The Australian Medical Association (29) similarly submits that:

‘the concept of “primary purpose” when applied in the context of healthcare should accommodate the meaning ‘the health care and well beingof the patient’, unless another meaning is specifically agreed tobetween the doctor and the patient’.

The Australian Medical Association (29) also notes that what constitutes‘primary purpose’ in a health care context is ‘a critical matter that underlies thewhole privacy scheme’ and stated that ‘the care of a patient’s health and wellbeing is not achieved by episodic care.’

Accordingly, there are some calls for NPP 2 to be amended to, as describedby the Australian Medical Association, ‘recognise that the “primary purpose” ofcollection of health information by doctors is the “health care and well being”of the patient.’

One submission notes the change in the health sector to ‘healthcare modelssuch as shared care and hospital at home programmes where services areprovided by the public and private health care sectors working cooperatively’,South Australian Department of Health (53). It is suggested that such modelslead to consumers assuming that their information is shared.

Where such models of health care result in uses or disclosures directly relatedto the primary purpose of collection, then they would be permitted byNPP 2.1(a) so long as consumers are aware such exchanges may occur.

Options for Reform

Amend National Privacy Principle 2

The Australian Government could amend NPP 2 in line with the suggestion ofthe Australian Medical Association to put beyond doubt that the ‘primarypurpose’ of collection of health information by health services is for the holistichealth care and well being of the patient.

One effect of such a change could be to allow any organisation that collectshealth information to use and disclose it for broader purposes, some of whichindividuals may not expect.

The amendment could somehow seek to constrain the breadth of further usesor disclosures of health information to a clinical, health care context, if this canbe suitably defined. Even in this case, however, some individuals (aspatients) may lose the ability to negotiate and enforce alternate healthinformation-handling arrangements. Furthermore, it is unclear whether suchamendment to the law would eventually reflect on the scope of the duty ofconfidentiality, as currently interpreted by the courts.

Broaden interpretation of NPP 2 through guidance

The Office could engage with the health sector and work to re-interpret andclarify current understanding of the primary purpose of collection of healthinformation in the delivery of a health service. This could involve the Officeissuing guidance similar to the scope of the legislative change suggestedabove, but either as binding or non-binding guidelines.

Under this approach, the Office could offer guidance stating that the collectionof health information in the delivery of a health service is always for theprovision of holistic health care.

Although not a legislative reform option, the practical effect would be thesame, and the concerns noted above would seem to apply; most notably, theapplication of the principle loses its flexibility in responding to the myriad ofrelationships between health professionals and their patients.

Further guidance and education

The Office could engage with the health sector in order to develop moreguidance to explain the operation of NPP 2.1(a) in the context of deliveringhealth services. For example, that holistic care is permissible under NPP 2 onthe grounds that collecting health information for a primary purpose and usingit for other (holistic) health care delivery reasons over time (that is, directlyrelated purposes) equates to the delivery of holistic treatment. This would besubject to open communication by providers with individuals about how careis delivered, and the approach to care being within the individual’s reasonableexpectations.

In effect, this approach would reflect and refine the Office’s current view thatin general, health service providers can proceed to provide care in the mannerthey consider appropriate for the individual they are treating, having recourseto that person’s needs and views. The provider always needs to take care notto exceed the expectations of the individual. In most situations, anindividual's expectations will be apparent through normal communication withtheir provider.

If a provider is uncertain, they should check whether the individualunderstands, and whether they expect the proposed use or disclosure of theirinformation. Of course, the provider may choose explicitly to seek consent.

This approach would be broadly consistent with that currently adopted by theOffice. However, the Office recognises that more effective guidance isneeded to assist health services to understand how NPP 2 can work for them.Furthermore, the Office could work with professional bodies to assist them inreflecting the operation of this key principle, to their members.

75.4 Recommendations: Primary purposeand health information

77. The Office will work with the health sector to develop further guidanceabout the operation of NPP 2 as it specifically relates to the issue ofprimary and secondary purpose in health care.

78. The Office will provide clearer guidance on the operation of NPP 2 togive more effective and practical assistance to demonstrate how theprinciple operates. This will take into account the range ofrelationships between health services and individuals, particularlywhere individuals agree to a holistic approach to the delivery of ahealth service.

75.5 NPP 3

Law and Policy

NPP 3 concerns data quality. It obliges an organisation to take reasonablesteps to maintain the quality of the personal information it collects. The Officestates in its Guidelines to the National Privacy Principles that ‘the aim of NPP3 is to prevent the adverse consequences for people that might result from anorganisation collecting, using, or disclosing inaccurate, incomplete or out-of-datepersonal information’.

What submissions say – issues

A small number of submissions commented on the operation of NPP 3.[242]Some comments were also raised in consultations.

Debate focused on whether data quality was intended as an overridingobligation on organisations when considering their personal information-handlingpractices. Some organisations argued in favour of certaincontentious practices on the basis of their need to comply with NPP 3.

A confidential submission states that enabling organisations to use AustralianGovernment identifiers, such as Medicare and passport numbers, means theycould better comply with their data quality obligations. A comment made inconsultations is that organisations need to be able to use publicly availablepersonal information to ensure data quality and accuracy.

‘such an interpretation of the NPP 3 accuracy requirement is plainlycontrary to the intent and objectives of the (Privacy Act). NPP 3 mustbe amended to make clear that it cannot be used as an excuse forgiving individuals less choice in relation to the use and disclosure oftheir personal information.’

The Australian Medical Association in consultations argued that data quality isimportant, but not overriding.

The Consumer Credit Legal Centre (62) and the Consumers’ Federation ofAustralia (65) contend that a number of the listings given to credit reportingagencies by credit providers are inaccurate. These submissions contend thatcredit providers can have systematic inaccurate listings, as seen from theOne.Tel listing inaccuracies. The submissions argue that situations such asthat involving One.Tel, indicate that adequate systems are not in place toensure data quality of credit report listings.

Options for Reform

Provide more guidance

Some organisations seem to consider that their obligation (under NPP 3) tokeep personal information accurate, complete and up-to-date is an absoluteobligation. Indeed, that it could be used to justify intruding upon anindividual’s privacy.

However, obligations under the NPPs are not absolute. NPP 3 requires anorganisation to take reasonable steps to ensure data quality. This includesbalancing NPP obligations with other obligations and responsibilities.

In the Office’s view, it is not reasonable to take steps under NPP 3 to ensuredata accuracy where this does not have any privacy benefit for the individual.For example, an individual may choose deliberately not to tell an organisationthat they have changed addresses, because they do not want to becontacted. Unless pursuing a debt or in respect of a similarly serious matter,it is unlikely to be reasonable for the organisation to seek to update theinformation they hold about the person, just to contact them further.

In this context, the Office could provide further guidance about organisations’obligations under NPP 3, and the reasonable steps they may need to take tomaintain data quality.

Amend the law

The Australian Government could amend NPP 3 to seek to clarify thatmaintaining data quality is not an absolute obligation above all others.However, given the high-level nature of the NPPs that call for judgement byorganisations when handling personal information in the particularcircumstances at hand, this may not be a preferred approach.

75.6 Recommendation: NPP 3 – Dataquality

79. The Office will provide further guidance to organisations about theirobligations under NPP 3, particularly to ensure they take a proportionalapproach to complying with the principle. This will include guidanceabout organisations taking into account whether or not there are goodprivacy reasons for seeking to update an individual’s personalinformation.

75.7 NPP 4

All the issues for this NPP are dealt with in Chapter 6.

75.8 NPP 5

All the issues for this NPP are dealt with in Chapter 4.

75.9 NPP 6

All the issues for this NPP are dealt with in Chapter 4.

75.10 NPP 7

Law and policy

National Privacy Principle 7 seeks to ensure that the increasing use ofAustralian Government identifiers[243]does not lead to a de facto system ofuniversal identity numbers, and to prevent any loss of privacy from thecombination and re-combination of this data, including with other information.Similarly, tax file number legislation already restricts the way an organisationcan collect, use or disclose a tax file number.

Unless prescribed by regulation, NPP 7.1 prohibits an organisation fromcollecting an Australian Government assigned identifier from the people withwhom it deals, and then using that identifier to organise and match otherpersonal information with reference to that identifier. In other words, anorganisation is not permitted to adopt an Australian Government identitynumber as if it were its own identity number.

National Privacy Principle 7.2 limits organisations’ handling of AustralianGovernment identifiers. Such identifiers may be used:

‘where necessary for the organisation to fulfil its obligations to theagency that assigned the identifier to the individual; or

in certain prescribed circumstances in which there is a public interest,set out as exceptions (e) to (h) for NPP 2. These exceptions includeuses or disclosures in the interest of lessening or preventing a seriousand imminent threat to any individual, or where the use or disclosure isauthorised or required by or under law.’

NPPs 7.1A and 7.2(c) allow for regulations to be proposed by theAttorney-General, and made by the Governor-General, to relax theserestrictions.

Issues

The Office is aware of a range of practices involving the collection ofAustralian Government identifiers for the purpose of establishing adequateevidence of identity (EOI). For example, individuals may be asked to presenta Medicare card, a current Australian Passport, a document with a Centrelinkcustomer reference number (CRN), or a citizenship certificate when firstentering into a transaction with an organisation. In some cases, organisationstake a photocopy of the Medicare card or relevant page of the Passport.Such a photocopy would include the Medicare number or Passport number,which is the identifier in question.

The Office is also aware of increasing concerns relating to identity theft,identity fraud and identity security, which appear to be driving an increase indemands for EOI. This can lead to concerns from individuals about theincreasing collection of information from their important identity documents;particularly for transactions in which such EOI was not previously sought.

NPP 7 does not explicitly prohibit the collection of identifiers. However,NPP 1 regulates the collection of personal information generally, and thiswould include identifiers. Therefore, if an organisation is to collect anidentifier it must consider its obligations under NPP 1.

What the submissions say – issues

Government identifiers and concessions

Telstra (110), the Department of Family and Community Services (81) andCentrelink (107) discuss procedures by which private organisations such asTelstra confirm that an individual is a customer of a relevant AustralianGovernment agency, and so is entitled to a concession rate from theorganisation.

One convenient means of doing such a check is for the organisation to collectan individual’s Centrelink CRN, and pass it onto Centrelink to confirm theperson’s eligibility to concessional entitlements. However, the restriction onthe use or disclosure of Australian Government identifiers (under NPP 7.2)may prohibit this use of the CRN. This would make it more difficult fororganisations to confirm a customer’s eligibility for concessional services.

These three submissions suggest that NPP 7 should be amended to includean exception to the limitation upon the use and disclosure of AustralianGovernment identifiers, so that the individual concerned can give consent tothe use or disclosure of their identifier.

Identifiers and market research

The Association of Market Research Organisations (AMRO) and theAustralian Market and Social Research Society (AMSRS) (61) suggest thatNPP 7 has the unintended effect of curtailing practices that pose no threat toprivacy and are potentially of significant public benefit. AMRO/AMSRSsuggest that conducting a longitudinal study into the effectiveness of aCentrelink program would only be possible with the use of AustralianGovernment identifiers.

Stakeholder meetings also included questions about the meaning andintention of NPP 7.

AMRO/AMSRS suggest that NPP 7 be clarified; preferably involvingamendment to enable the use and transfer of Australian Governmentidentifiers by organisations where it would pose no threat to any individual’sprivacy. AMRO/AMSRS note that there are technical means of making use ofsuch identifiers which nevertheless do not allow the attribution of any personalinformation to identified individuals.

In particular, this submission singles out the lack of a prohibition on thecollection of Australian Government identifiers. The submission also notesthe lack of prohibitions on the handling of state and territory governmentidentifiers, such as driver’s licence numbers.

Options for reform

Consent exception

Allowing the use and disclosure of Australian Government identifiers, with theconsent of the individual concerned, may assist both organisations andgovernment agencies to provide services, including concessional services,more efficiently.

However, as discussed further in the section on bundled consent (seeChapter 4) some organisations may seek to make consent to the use anddisclosure of identifiers a condition of providing a service, or a condition onproviding a service at a concessional rate. The widespread collection ofAustralian Government identifiers may arise. This would be inconsistent withthe policy intention of NPP 7, which is to ensure that Australian Governmentidentifiers do not become de facto national identity numbers, allowing for easyaggregation of personal data across unrelated organisations.

Making regulations

The regulation-making powers under NPP 7, and sub-sections 100(2) and (3),appear to be sufficient to deal with the particular concerns raised in thesubmissions.

However, the Department of Family and Community Services (81) suggeststhat making such regulations would be a cumbersome approach to the issue.In considering such an argument, the policy intent underpinning this principlemust be borne in mind. This was ‘to prevent the gradual adoption ofgovernment identity numbers as de facto universal identity numbers’.[244]

Therefore, while the impact (for government agencies) in making regulationsneeds to be acknowledged, this needs to be balanced with the public interestin ensuring that NPP 7 achieves its stated policy aims.

The making of regulations can address the matter raised about checking theconcessional status of individuals without risking the widespread collection,use and disclosure of Australian Government identifiers. Similarly, ifwarranted, a research study that required the use of such identifiers beyondthe existing scope of NPP 7.2 could be enabled by regulation.

Prohibit the collection of identifiers

The collection of identifiers into a record is regulated by NPP 1, includingPP 1.1 which limits the collection of personal information to that which isnecessary for one or more of an organisation’s functions or activities.

Therefore, if an identifier is collected by an organisation, but cannot belawfully used or disclosed pursuant to NPP 7.2, then the collection is notnecessary for one of the organisation’s functions or activities. As aconsequence, the collection would be prohibited by NPP 1.1.

Depending on the circumstances, and where there are no other laws requiringor authorising the collection of the identifier in question, the collection of anidentifier ‘just in case’ it is needed for some future purpose is likely to be inbreach of NPP 1.1. Arguably, therefore, there is no requirement for anamendment to the principle to specifically prohibit the collection of AustralianGovernment identifiers.

No change

Given the significance of the policy underpinning this principle and theflexibility permitted by regulation-making (to address specific issues requiringthe use or disclosure of identifiers), no change in the law may be warranted.

75.11 Recommendation: NPP 7 - Identifiers

80. The Australian Government should consider using the existingregulation-making mechanism under NPP 7 to address circumstancessuch as those identified by Centrelink regarding concessionalentitlements.

75.12 NPP 8

All issues for this NPP are dealt with in Chapter 8.

75.13 NPP 9

Law and Policy

Public Interest Determinations (PIDs) enable the Privacy Commissioner toreduce the privacy protections of one or more of the National PrivacyPrinciples (NPPs) in certain circumstances. In order to issue a PID, thePrivacy Commissioner must be satisfied of two matters: first, that an act orpractice of an organisation breaches or may breach a NPP or a privacy code(a Code); and second, that the act or practice should nevertheless bepermitted because the public interest in its continuation substantiallyoutweighs the public interest in adhering to the NPP or the Code.

The Privacy Commissioner issued PIDs 9 and 9A in October 2002.[245]Thecombined effect of PIDs 9 and 9A is to exempt providers of health services,[246]in certain circumstances, from complying with NPP 10.1.

NPP 10.1 limits the collection of sensitive information, by an organisation,from or about an individual without that person’s consent. The Commissionerfound that the collection of sensitive information about third parties (which isnecessary to obtain the family, social or medical history of an individual duringthe provision of a health service) did not fall within the limited exceptionsoutlined in NPP 10.1 to 10.3. The Commissioner was of the view that suchcollection would breach NPP 10.1.

The collection of family, social and medical history information is a critical partof providing assessment, diagnosis and treatment to individuals. TheCommissioner acknowledged that obtaining the consent of third parties tocollect their information, and notifying those individuals about thesecollections, would be impractical, inefficient and detrimental to the provision ofquality health outcomes.

The Commissioner recognised that the public interest is served by theefficient and accurate diagnosis and treatment of individuals by clinicians, andthis is fundamentally underpinned by the taking of family, social and medicalhistories.

Under PIDs 9 and 9A, a health service provider may collect health informationfrom an individual (a health consumer) about a third party, without the consentof the third party, when both of the following conditions are met:

‘the collection of the third party's information into an individual’s social,family or medical history is necessary to provide a health servicedirectly to the individual; and

the third party's information is relevant to the family, social or medicalhistory of the individual receiving the health service.’

PIDs 9 and 9A do not represent an exemption from all of the NPPs.Therefore, NPPs 1 to 9 and NPPs 10.2 and 10.3 continue to apply to thehandling of this type of information by organisations providing a healthservice.

In addition, health service providers that collect third party information intosocial, family or medical histories must comply with their obligations underNPP 2.1(a). Therefore, proposed further uses or disclosures of thisinformation for secondary purposes must be directly-related to the initialreason it was collected (that is, for the history of the individual seekingtreatment) and something the third party would reasonably expect; that isunless one of the other exceptions to NPP 2 applies.

The Commissioner issued PIDs 9 and 9A for a period of 5 years, with areview of the Determinations to take place at or before that time (that is, byOctober 2007).

What the submissions say – issues

A number of submissions comment on the effectiveness and importance ofPIDs 9 and 9A. There is a general consensus that the PIDs are necessaryand that they are operating smoothly.

Submissions state that the collection of family histories, as allowed by PIDs 9and 9A, is most important when providing holistic treatment to an individual.

This is particularly so in the area of mental health where it is consideredimportant for the treating clinician to have an understanding of the individual’sperceived familial relationships. A family history narrative will reveal muchabout the individual’s attitudes and emotional make-up, which is generallymore important to the clinician than information about the family members perse (Australian Medical Association 29, Mental Health Privacy Coalition, 58).As mentioned by the Australian Medical Association (29) ‘leaving aside theimpracticalities of obtaining third-party consent, should the family member’sconsent be required, or should the family member access and correct theinformation, the value of the collected information would be lost.’

No submissions raised negative views on the operation of PIDs 9 and 9A.Conversely, there is a call for the Privacy Act to be amended to substantivelyincorporate these PIDs[247]. For example, there is concern that the PIDsoperate for only a finite time. Given the ongoing nature of this activity (that is,it is an enduring element of providing quality health care), submissionsrecommend that the PIDs be incorporated into law. This would help assurehealth service providers that they can continue to offer best practicehealthcare, including the collection of social, family and medical historyinformation.

Support for the inclusion of provisions in the Privacy Act to reflect the PIDscame from submissions including the Australian Medical Association (29) theMental Health Privacy Coalition (58) and the Australian GovernmentDepartment of Health and Ageing (99).

The Mental Health Privacy Coalition (58) outlines some examples of limitedexceptions that may be considered were the PIDs to be incorporated into thePrivacy Act. These exceptions include limiting the collection of a third party’sDNA or electronic health record information only with their consent. TheMental Health Privacy Coalition acknowledges that emergency healthsituations may require variations to such exceptions.

The Office is aware of common practices in the insurance industry pertainingto the collection of family history information when an individual makes anapplication for some insurance products. In its report Essentially Yours: TheProtection of Human Genetic Information in Australia, the Australian LawReform Commission and the Australian Health Ethics Committee note that:

‘insurance companies routinely collect family medical historyinformation and use it in underwriting. The collection and use is basedon the long recognised fact that certain diseases have a hereditarycomponent, and that information about the medical history of familymembers is relevant in assessing the applicant’s risk.’[248]

The Australian Law Reform Commission and the Australian Health EthicsCommittee Inquiry received submissions calling for amendments to thePrivacy Act, or the issuing of amended PIDs, to provide clarity that thecollection of family medical history information, in the course of processing anapplication for insurance, is not a breach of NPP 10.[249]The Inquiryrecommended (Recommendation 28-3) that a PID be sought by insurers. Todate, the Privacy Commissioner has not considered an application for a PID inthese terms.

Options for Reform

Amend NPP 10 – add additional exception

The principle could be amended by inserting an additional exception, such asa NPP 10.1(f). This exception would mirror the operation of the PIDs for thecollection of third party information into a family, social or medical history inthe delivery of a health service to an individual.

Amend NPP 10 – add additional provision to NPP 10.2(b)

As NPP 10.2 provides a specific context for the collection of healthinformation in order to deliver a health service, there may be greater policycogency in adding a provisions (such as a NPP 10.2(b)(iii)) to reflect theoperation of the PIDs.

Amend NPP 10 with exceptions or variations

The substance of the PIDs could be incorporated into NPP 10 (for instance ineither of the above ways), but with some further exceptions or variations.

For example, the Mental Health Privacy Coalition stated that ‘theCommissioner may wish to delineate some extremely limited exceptions. Forinstance, it may be appropriate to rule that DNA information offered to ahealthcare practitioner, which concerns another individual, even a familymember, should only be provided with the specific consent of that familymember.’

Consideration could also be given to the views of the insurance sector, asexpressed to the Australian Law Reform Commission and the AustralianHealth Ethics Committee Inquiry into the protection of human geneticinformation (particularly in regard to Recommendation 28-3). If the collectionpractices of the insurance sector reflect a similar public interest, and are assettled as those of the health service delivery sector, then for the samereasons a substantive amendment to the law may be more appropriate than aPID.

No change

No amendment is made to the Privacy Act. In this case, the PIDs would needto be reviewed by October 2007. In accordance with the LegislativeInstruments Act 2003, any further determinations would be operational for aperiod of up to 10 years. This would not meet the need for regulatorycertainty expressed during the Review.

75.15 Recommendations: NPP 10 – PublicInterest Determinations

81. The Australian Government should consider amending NPP 10 toinclude an exception that mirrors the operation of Public InterestDeterminations 9 and 9A.

82. The Australian Government should consider undertaking consultationon limited exceptions or variations to the collection of family, social andmedical history information, particularly with regard to geneticinformation and the collection practices of the insurance industry.

75.16 NPP 10.2 – Collecting healthinformation without consent

Law and Policy

Introduction

The Privacy Act recognises important social interests that include the effectivedelivery of health services. In many circumstances, health service providerscan only provide individuals with health services after collecting informationabout the individual and their health. On the other hand, the individual isentitled to retain a degree of control over the collection of their healthinformation and how it is handled.

NPP 10.1(a) prohibits an organisation from collecting an individual’s sensitiveinformation (including their health information) unless they have givenconsent. There are a number of exceptions to this rule.

Exception: in the delivery of a health service

One such exception (NPP 10.2) recognises the need for a health serviceprovider to collect an individual’s health information in order to deliver healthservices to them. This is permissible when the information is collected by theprovider either as required by law (other than the Privacy Act), or inaccordance with rules that are established by competent health or medicalbodies which deal with obligations of professional confidentiality; such rulesmust bind the health service provider (NPP 10.2 (a) (i) and (ii)).

Scope of the exception

The two sub-paragraphs of NPP 10.2 recognise two different circumstances,in the delivery of health services, where the collection of an individual’s healthinformation can be effected without consent.

Firstly, a health service provider may have a legal obligation set out in statute,or arising from the common law, which requires the collection of certain healthinformation in the context of providing a health service. For example, amedical practitioner may need to collect a child’s health information from thechild’s parent or guardian, under their duty of care to the child.

Secondly, for example, a professional body of health service providers couldestablish a set of rules, or a binding code of practice, which (in the context ofthe body’s commitment to observing confidentiality) also includes bindingrules relating to the collection of health information from and about individuals.

The issue

While not significantly reflected in submissions, the Office’s experience withNPP 10.2 raises issues of interpretation and application of the law.

Required by law

NPP 10.1 (b) allows sensitive information (which includes health information)to be collected without consent where ‘the collection is required by law’. Thisprovision appears to repeat, in part, the wording of NPP 10.2 (b)(ii).

However, the relationship between NPPs 10.1 (b) and 10.2 (b)(i) is not clear.It is difficult to distinguish between the limitations upon organisations generallywhen collecting sensitive information (as required by law) under NPP 10.1(b),and those created by the similarly stated provision (10.2(b)(i)) that areimposed upon organisations delivering health services.

Authorised by law

The disclosure of an individual’s health information by a health serviceprovider (or other organisation) without the individual’s consent is permittedunder NPP 2.1(g) where such a disclosure is ‘required or authorised by orunder law’.

Whereas the more restrictive provisions of NPP 10.2(b)(i), especially in thecontext of health service delivery, have the potential to unduly impede theeffective delivery of such services. The restrictive character of thissub-paragraph may be inconsistent with the Privacy Act’s general relianceupon the ethical traditions, including recognition of the duty of confidentiality,of health service providers.

There may be an argument for recognising that where an organisation isdelivering a health service and there is a stated legal authority for it to collecthealth information about an individual, NPP 10 should permit this to occurwithout consent.

Binding rules of confidentiality

The Privacy Act and the NPPs acknowledge that health professionals have ahistory of adhering to their duty of confidentiality toward patients and theirhealth information.

This is reflected in provisions such as NPP 10.2(b)(ii), with its reliance uponbinding rules of professional bodies that appear to need to pertain to thecollection of health information. The exact nature and construction of thesebinding rules is uncertain given the current construction of the provision.

To date, the Office has not been presented with an example of binding rulesthat would satisfy the requirements of NPP 10.2(b)(ii), nor is the Office awareof the operation of such rules in the health sector.

Options for Reform

No change

As the construction and operation of these provisions did not feature generallyin submissions or views put to this Review, it may be feasible to take noaction on these issues.

Greater clarity through legislative amendment

Given the intent of NPP 10.2, there appears to be merit in providing greaterclarity and certainty in the legislative scheme regarding the collection of healthinformation in the delivery of health services, and particularly with regard tothe provision of clinical or therapeutic care.

Changes to the legislation could better and more effectively reflect the healthsector’s history of working within the duty of confidentiality to patients. Thiscould include permitting the collection of health information (by anorganisation when delivering a health service to an individual) whenauthorised by law, as well as when required by law.

Greater legislative clarity could be provided about the precise nature of thetypes of binding rules envisaged by NPP 10.2(b)(ii), and particularly toestablish (or otherwise) that these rules must deal with matters about thecollection of health information (albeit in the context of obligations ofprofessional confidentiality).

With appropriate amendments to NPP 10.2, the balance between the privacyprotection afforded to individuals and the need for effective delivery of healthservices can be better achieved. Further guidance from the Office would benecessary, following such amendments, to assist organisations and the sectorin the application of the provisions in practice.

75.17 Recommendations: NPP 10.2(b)

83. The Australian Government should consider amending NPP 10.2 topermit the collection of health information (under NPP 10.2(b)(i)) ‘asauthorised by law’ in addition to ‘as required by law’.

84. The Australian Government should consider amending NPP 10.2(b) (ii)to clarify the nature of the binding rules intended to be covered by thisprovision, particularly with regard to the substantive content of suchrules.

76 Other issues with the private sectorprovisions of the Privacy Act

76.1 Information of deceased persons

Law and Policy

Privacy Act

The Privacy Act does not appear to create privacy obligations in relation to thehandling of personal information of deceased persons. The Privacy Actregulates the handling of ‘personal information’. Personal information isdefined under section 6(1) as:

‘information or an opinion (including information or an opinion formingpart of a database), whether true or not, and whether recorded in amaterial form or not, about an individual whose identity is apparent, orcan reasonably be ascertained, from the information or opinion;’

The term ‘individual’ is defined under section 6(1) as meaning ‘a naturalperson’. The term ‘natural person’ is not defined under the Privacy Act or theActs Interpretation Act 1901; however it appears the term is usually used todistinguish human beings from artificial persons or corporations[250]. Whetherthe term ‘natural persons’ includes a deceased human being does not appearto have been subject to judicial consideration in Australia or the UnitedKingdom. The Office considers the term ‘natural person’ to mean a livinghuman being as this is the plain English meaning of the term.

To add further weight to this view, the legislation does not appear to provideany mechanism for a person to make a complaint other than the individualwhose privacy has been interfered with[251]. Section 36(1) of Privacy Actstates:

‘anindividual may complain to the Privacy Commissioner about an actor practice that may be an interference with the privacy of theindividual’.

Therefore, it appears another person could not lodge a complaint about analleged breach of privacy of a deceased person.

This position can be contrasted with other Commonwealth and statelegislation that protects a person’s information generally for thirty years aftertheir death.

Other State and Commonwealth Legislation

Some other legislation governing the handling of personal information doesprotect that information for a period after a person’s death.

Under section 5(3)(a) of the Health Records and Information Privacy Act 2000 (NSW) and section 4(3) of the Privacy and Personal Information ProtectionAct 1998 (NSW), the definition of personal information does not includeinformation about an individual that has been dead for more than 30 years.

Similarly, ‘personal information’ is defined under section 3(1) of the VictorianHealth Records Act 2001 as

‘information or an opinion (including information or an opinion formingpart of a database), whether true or not, and whether recorded in amaterial form or not, about an individual whose identity is apparent, orcan reasonably be ascertained, from the information or opinion, butdoes not include information about an individual who has been dead formore than 30 years;’ (emphasis added).

In Tasmania, the Personal Information Protection Act 2004 was passed inNovember 2004 and received Royal Assent on 17 December 2004. Thislegislation applies to deceased persons’ information for 25 years after death.

The draft National Health Privacy Code would apply to the health informationof those who have been dead for 30 years or less.

The Freedom of Information Act 1982 under section 41(1), makes specificreference to the protection of a deceased person’s information in relation tothe unreasonable disclosure of personal information[252].

Also, 30 years is the point for commencement of the ‘open access period’ insection 3(7) of the Archives Act 1983.

What submissions say – issues

A small number of submissions refer to the handling of deceased persons’information. Of those that comment, all recommend that the Privacy Act beamended to include protection of deceased persons’ information[253], with mostsuggesting the protection be extended to thirty years after a person’s death.This recommendation was made by the Australian Law Reform Commissionand the Australian Health Ethics Committee in its report Essentially Yours:The Protection of Human Genetic Information in Australia(Recommendation 7-6). In support of recommending that people’s healthinformation be protected for 30 years after their death, the report states that:

‘it is desirable that information privacy protection extend to geneticinformation about deceased individuals because of the implications thatthe collection, use or disclosure of this information may have for livinggenetic relatives. It appears preferable for representatives of thedeceased to be able to consent to the collection, use or disclosurerather than to leave decisions about these matters outside the PrivacyAct’[254].

Some submissions recommend (as do the Australian Law ReformCommission and the Australian Health Ethics Committee) that the Privacy Actalso be amended to include provisions for decision-making in respect of thepersonal information of deceased persons, either by a next-of-kin or anauthorised person of deceased individuals[255]. No practical recommendationsare made in the submissions, although it is assumed that such amendmentswould need to include the ability to make a complaint on behalf of thedeceased person and to gain access to the deceased person’s information.

Options for Reform

Extend coverage of the Privacy Act to cover the personalinformation of individuals until 30 years after death

As discussed above, some Commonwealth and state legislation protects anindividual’s personal information for up to 30 years after death. Extendingcoverage in the Privacy Act in similar terms would bring it in line with suchlegislation and create greater national consistency.

From consultations it is clear there is considerable confusion among thecommunity about whether or not the Privacy Act covers personal informationof people who have died. The policy rationale for protecting all of thepersonal information of individuals for 30 years after death is unclear.

Taking this approach could create difficulties for those collecting informationfor archival purposes after people die, particularly if the collection includessensitive information, as the person would be unable to consent. Also, thereare presently no provisions in the Privacy Act for a person to complain onbehalf of a person who has died. Any amendments to the Privacy Act wouldneed to take these issues into account.

Extend coverage of the Privacy Act to cover the geneticinformation of individuals until 30 years after death

The Australian Law Reform Commission and the Australian Health EthicsCommittee recommend that the Privacy Act be amended to cover anindividual’s genetic information for 30 years after they die.

As stated above, this is because the handling of genetic information of adeceased person can have an impact on their genetic relatives.

However, this matter is outside the terms of reference of this review.

Consider protection for the information of deceased personsas part of a wider review of the Privacy Act

There may need to be more consideration of the policy rationale for coveringpersonal information generally, for up to 30 years after a person has died.Also, with possible implications for the construction of the NPPs and otheraspects of the legislation, whether the coverage of the Privacy Act should beextended in this regard might be canvassed better in a wider review of thelegislation as proposed in recommendation 1.

76.2 Recommendations: Deceasedpersons

85. If the National Health Privacy Code is adopted into the Privacy Act (seerecommendation 13), then protection for health information under theseprovisions would extend to deceased persons. Also, the AustralianGovernment’s response to the Australian Law Reform Commission andthe Australian Health Ethics Committee’s Inquiry into the protection ofhuman genetic information in Australia may have implications for thePrivacy Act. In addition, the Australian Government should consider aspart of a wider review (recommendation 1) whether the jurisdiction ofthe Privacy Act should be extended to cover the personal informationof deceased persons.

76.3 Employee Records Exemption

Law and Policy

Under section 7B(3), an act done, or practice engaged in, by an organisationthat is or was an employer of an individual is exempt from the NPPs if the actor practice is directly related to:

a current or former employment relationship between the employer andthe individual and

an employee record held by the organisation and relating to the individual.

What submissions say

Despite the Terms of Reference expressly excluding the employee recordsexemption from the Review, a number of submissions comment on theexemption[256]. The issue also arose in consultation sessions.

National Consistency

A goal of the NPPs was to create a single, comprehensive nationallyconsistent privacy scheme for the private sector. Most of the submissionsthat raise the employee records exemption do so in the context of examininghow the Privacy Act is achieving national consistency.

A concern arising out of submissions is that various pieces of state legislationare being enacted in order to deal with employment privacy issues such asworkplace surveillance[257]. This concern was raised in submissions that wereboth in favour, and against, the exemption.

76.4 Political Exemption

Law and Policy

The exemption for political acts and practices is in section 7C of the PrivacyAct. Section 7C(1) states:

An act done, or practice engaged in, by an organisation (the politicalrepresentative) consisting of a member of a Parliament, or a councillor(however described) of a local government authority, is exempt for thepurposes of paragraph 7(1)(ee) if the act is done, or the practice is engagedin, for any purpose in connection with:

an election under an electoral law or

a referendum under a law of the Commonwealth or a law of a state orterritory or

the participation by the political representative in another aspect of thepolitical process.

Subsections 7C(2), (3) and (4) extend the exemption to contractors,subcontractors and volunteers for registered political parties.

What submissions say

A number of submissions comment on the political exemption[258]despite theexemption being outside the Terms of Reference for the Review. The issuealso arose in consultation sessions.

In general, those that did comment upon the exemption did not approve of theexemption.

Also, there is some criticism that the exemption has been excluded from theTerms of Reference of the Review.

Appendix 1

Terms of Reference

Review of the Private Sector Provisions of the PrivacyAct 1988

I, PHILIP RUDDOCK, Attorney-General of Australia, under section 27(1)(f) ofthe Privacy Act 1988, request that the Privacy Commissioner review theoperation of the private sector provisions contained in the Privacy Amendment(Private Sector) Act 2000 and report on that review not later than 31 March2005.

In undertaking the review, I ask that the Privacy Commissioner consider thedegree to which the private sector provisions meet their objects, being:

a. to establish a single comprehensive national scheme providing,through codes adopted by private sector organisations and NationalPrivacy Principles, for the appropriate collection, holding, use,correction, disclosure and transfer of personal information by thoseorganisations; and

b. to do so in a way that:

i. meets international concerns and Australia's internationalobligations relating to privacy;

ii. ii. recognises individuals' interests in protecting their privacy; and

iii. iii. recognises important human rights and social interests thatcompete with privacy, including the general desirability of a freeflow of information (through the media and otherwise) and theright of business to achieve its objectives efficiently.

Appendix 4

National Privacy Principles

The National Privacy Principles as set out in Schedule 3 of the Privacy Act1988 are as follows:

1 Collection

1.1 An organisation must not collect personal information unless theinformation is necessary for one or more of its functions or activities.

1.2 An organisation must collect personal information only by lawful andfair means and not in an unreasonably intrusive way.

1.3 At or before the time (or, if that is not practicable, as soon aspracticable after) an organisation collects personal information aboutan individual from the individual, the organisation must take reasonablesteps to ensure that the individual is aware of:

(a) the identity of the organisation and how to contact it; and

(b) the fact that he or she is able to gain access to the information;and

(c) the purposes for which the information is collected; and

(d) the organisations (or the types of organisations) to which theorganisation usually discloses information of that kind; and

(e) any law that requires the particular information to be collected;and

(f) the main consequences (if any) for the individual if all or part ofthe information is not provided.

1.4 If it is reasonable and practicable to do so, an organisation must collectpersonal information about an individual only from that individual.

1.5 If an organisation collects personal information about an individual fromsomeone else, it must take reasonable steps to ensure that theindividual is or has been made aware of the matters listed in subclause1.3 except to the extent that making the individual aware of the matterswould pose a serious threat to the life or health of any individual.

2 Use and disclosure

2.1 An organisation must not use or disclose personal information about anindividual for a purpose (the secondary purpose) other than the primarypurpose of collection unless:

(a) both of the following apply:

(i) the secondary purpose is related to the primary purposeof collection and, if the personal information is sensitiveinformation, directly related to the primary purpose ofcollection;

(ii) the individual would reasonably expect the organisationto use or disclose the information for the secondarypurpose; or

(b) the individual has consented to the use or disclosure; or

(c) if the information is not sensitive information and the use of theinformation is for the secondary purpose of direct marketing:

(i) it is impracticable for the organisation to seek theindividual’s consent before that particular use; and

(ii) the organisation will not charge the individual for givingeffect to a request by the individual to the organisationnot to receive direct marketing communications; and

(iii) the individual has not made a request to the organisationnot to receive direct marketing communications; and

(iv) in each direct marketing communication with theindividual, the organisation draws to the individual’sattention, or prominently displays a notice, that he or shemay express a wish not to receive any further directmarketing communications; and

(v) each written direct marketing communication by theorganisation with the individual (up to and including thecommunication that involves the use) sets out theorganisation’s business address and telephone numberand, if the communication with the individual is made byfax, telex or other electronic means, a number or addressat which the organisation can be directly contactedelectronically; or

(d) if the information is health information and the use or disclosureis necessary for research, or the compilation or analysis ofstatistics, relevant to public health or public safety:

(i) it is impracticable for the organisation to seek theindividual’s consent before the use or disclosure; and

(ii) the use or disclosure is conducted in accordance withguidelines approved by the Commissioner under section95A for the purposes of this subparagraph; and

(iii) in the case of disclosure – the organisation reasonablybelieves that the recipient of the health information willnot disclose the health information, or personalinformation derived from the health information; or

(e) the organisation reasonably believes that the use or disclosureis necessary to lessen or prevent:

(i) a serious and imminent threat to an individual’s life,health or safety; or

(ii) a serious threat to public health or public safety; or

(f) the organisation has reason to suspect that unlawful activity hasbeen, is being or may be engaged in, and uses or discloses thepersonal information as a necessary part of its investigation ofthe matter or in reporting its concerns to relevant persons orauthorities; or

(g) the use or disclosure is required or authorised by or under law;or

(h) the organisation reasonably believes that the use or disclosureis reasonably necessary for one or more of the following by oron behalf of an enforcement body:

(i) the prevention, detection, investigation, prosecution orpunishment of criminal offences, breaches of a lawimposing a penalty or sanction or breaches of aprescribed law;

(ii) the enforcement of laws relating to the confiscation of theproceeds of crime;

(v) the preparation for, or conduct of, proceedings before anycourt or tribunal, or implementation of the orders of acourt or tribunal.

Note 1: It is not intended to deter organisations from lawfully cooperatingwith agencies performing law enforcement functions in theperformance of their functions.

Note 2: Subclause 2.1 does not override any existing legal obligationsnot to disclose personal information. Nothing in subclause 2.1requires an organisation to disclose personal information; anorganisation is always entitled not to disclose personalinformation in the absence of a legal obligation to disclose it.

Note 3: An organisation is also subject to the requirements of NationalPrivacy Principle 9 if it transfers personal information to a personin a foreign country.

2.2 If an organisation uses or discloses personal information underparagraph 2.1(h), it must make a written note of the use or disclosure.

2.3 Subclause 2.1 operates in relation to personal information that anorganisation that is a body corporate has collected from a related bodycorporate as if the organisation’s primary purpose of collection of theinformation were the primary purpose for which the related bodycorporate collected the information.

2.4 Despite subclause 2.1, an organisation that provides a health serviceto an individual may disclose health information about the individual toa person who is responsible for the individual if:

(a) the individual:

(i) is physically or legally incapable of giving consent to thedisclosure; or

(ii) physically cannot communicate consent to the disclosure;and

(b) a natural person (the carer) providing the health service for theorganisation is satisfied that either:

(i) the disclosure is necessary to provide appropriate care ortreatment of the individual; or

(ii) the disclosure is made for compassionate reasons; and

(c) the disclosure is not contrary to any wish:

(i) expressed by the individual before the individual becameunable to give or communicate consent; and

(ii) of which the carer is aware, or of which the carer couldreasonably be expected to be aware; and

(d) the disclosure is limited to the extent reasonable and necessaryfor a purpose mentioned in paragraph (b).

2.5 For the purposes of subclause 2.4, a person is responsible for anindividual if the person is:

(a) a parent of the individual; or

(b) a child or sibling of the individual and at least 18 years old; or

(c) a spouse or de facto spouse of the individual; or

(d) a relative of the individual, at least 18 years old and a memberof the individual’s household; or

(e) a guardian of the individual; or

(f) exercising an enduring power of attorney granted by theindividual that is exercisable in relation to decisions about theindividual’s health; or

(g) a person who has an intimate personal relationship with theindividual; or

(h) a person nominated by the individual to be contacted in case ofemergency.

2.6 In subclause 2.5:

childof an individual includes an adopted child, a step-child and afoster-child, of the individual.

parentof an individual includes a step-parent, adoptive parent and afoster-parent, of the individual.

relativeof an individual means a grandparent, grandchild, uncle, aunt,nephew or niece, of the individual.

3 Data quality

An organisation must take reasonable steps to make sure that the personalinformation it collects, uses or discloses is accurate, complete and up-to-date.

4 Data security

4.1 An organisation must take reasonable steps to protect the personalinformation it holds from misuse and loss and from unauthorisedaccess, modification or disclosure.

4.2 An organisation must take reasonable steps to destroy or permanentlyde-identify personal information if it is no longer needed for anypurpose for which the information may be used or disclosed underNational Privacy Principle 2.

5 Openness

5.1.An organisation must set out in a document clearly expressed policieson its management of personal information. The organisation mustmake the document available to anyone who asks for it.

5.2.On request by a person, an organisation must take reasonable steps tolet the person know, generally, what sort of personal information itholds, for what purposes, and how it collects, holds, uses and disclosesthat information.

6 Access and correction

6.1 If an organisation holds personal information about an individual, itmust provide the individual with access to the information on requestby the individual, except to the extent that:

(a) in the case of personal information other than health information– providing access would pose a serious and imminent threat tothe life or health of any individual; or

(b) in the case of health information – providing access would posea serious threat to the life or health of any individual; or

(c) providing access would have an unreasonable impact upon theprivacy of other individuals; or

(d) the request for access is frivolous or vexatious; or

(e) the information relates to existing or anticipated legalproceedings between the organisation and the individual, andthe information would not be accessible by the process ofdiscovery in those proceedings; or

(f) providing access would reveal the intentions of the organisationin relation to negotiations with the individual in such a way as toprejudice those negotiations; or

(g) providing access would be unlawful; or

(h) denying access is required or authorised by or under law; or

(i) providing access would be likely to prejudice an investigation ofpossible unlawful activity; or

(j) providing access would be likely to prejudice:

(i) the prevention, detection, investigation, prosecution orpunishment of criminal offences, breaches of a lawimposing a penalty or sanction or breaches of aprescribed law; or

(ii) the enforcement of laws relating to the confiscation of theproceeds of crime; or

(v) the preparation for, or conduct of, proceedings before anycourt or tribunal, or implementation of its orders;by or on behalf of an enforcement body; or

(k) an enforcement body performing a lawful security function asksthe organisation not to provide access to the information on thebasis that providing access would be likely to cause damage tothe security of Australia.

6.2 However, where providing access would reveal evaluative informationgenerated within the organisation in connection with a commerciallysensitive decision-making process, the organisation may give theindividual an explanation for the commercially sensitive decision ratherthan direct access to the information.

Note: An organisation breaches subclause 6.1 if it relies on subclause6.2 to give an individual an explanation for a commerciallysensitive decision in circumstances where subclause 6.2 doesnot apply.

6.3 If the organisation is not required to provide the individual with accessto the information because of one or more of paragraphs 6.1(a) to (k)(inclusive), the organisation must, if reasonable, consider whether theuse of mutually agreed intermediaries would allow sufficient access tomeet the needs of both parties.

6.4 If an organisation charges for providing access to personal information,those charges:

(a) must not be excessive; and

(b) must not apply to lodging a request for access.

6.5 If an organisation holds personal information about an individual andthe individual is able to establish that the information is not accurate,complete and up-to-date, the organisation must take reasonable stepsto correct the information so that it is accurate, complete and up-to-date.

6.6 If the individual and the organisation disagree about whether theinformation is accurate, complete and up-to-date, and the individualasks the organisation to associate with the information a statementclaiming that the information is not accurate, complete or up-to-date,the organisation must take reasonable steps to do so.

6.7 An organisation must provide reasons for denial of access or a refusalto correct personal information.

7 Identifiers

7.1 An organisation must not adopt as its own identifier of an individual anidentifier of the individual that has been assigned by:

(a) an agency; or

(b) an agent of an agency acting in its capacity as agent; or

(c) a contracted service provider for a Commonwealth contractacting in its capacity as contracted service provider for thatcontract.

7.1A However, subclause 7.1 does not apply to the adoption by a prescribedorganisation of a prescribed identifier in prescribed circumstances.

Note: There are prerequisites that must be satisfied before thosematters are prescribed: see subsection 100(2).

7.2 An organisation must not use or disclose an identifier assigned to anindividual by an agency, or by an agent or contracted service providermentioned in subclause 7.1, unless:

(a) the use or disclosure is necessary for the organisation to fulfil itsobligations to the agency; or

(b) one or more of paragraphs 2.1(e) to 2.1(h) (inclusive) apply tothe use or disclosure; or

(c) the use or disclosure is by a prescribed organisation of aprescribed identifier in prescribed circumstances.

Note: There are prerequisites that must be satisfied before the mattersmentioned in paragraph (c) are prescribed: see subsection100(2).

7.3 In this clause:

identifierincludes a number assigned by an organisation to anindividual to identify uniquely the individual for the purposes of theorganisation’s operations. However, an individual’s name or ABN (asdefined in the A New Tax System (Australian Business Number) Act1999) is not an identifier.

8 Anonymity

Wherever it is lawful and practicable, individuals must have the option of notidentifying themselves when entering transactions with an organisation.

9 Transborder data flows

An organisation in Australia or an external Territory may transfer personalinformation about an individual to someone (other than the organisation orthe individual) who is in a foreign country only if:

(a) the organisation reasonably believes that the recipient of theinformation is subject to a law, binding scheme or contract whicheffectively upholds principles for fair handling of the informationthat are substantially similar to the National Privacy Principles;or

(b) the individual consents to the transfer; or

(c) the transfer is necessary for the performance of a contractbetween the individual and the organisation, or for theimplementation of pre-contractual measures taken in responseto the individual’s request; or

(d) the transfer is necessary for the conclusion or performance of acontract concluded in the interest of the individual between theorganisation and a third party; or

(e) all of the following apply:

(i) the transfer is for the benefit of the individual;

(ii) it is impracticable to obtain the consent of the individual tothat transfer;

(iii) if it were practicable to obtain such consent, the individualwould be likely to give it; or

(f) the organisation has taken reasonable steps to ensure that theinformation which it has transferred will not be held, used ordisclosed by the recipient of the information inconsistently withthe National Privacy Principles.

10 Sensitive information

10.1 An organisation must not collect sensitive information about anindividual unless:

(a) the individual has consented; or

(b) the collection is required by law; or

(c) the collection is necessary to prevent or lessen a serious andimminent threat to the life or health of any individual, where theindividual whom the information concerns:

(i) is physically or legally incapable of giving consent to thecollection; or

(ii) physically cannot communicate consent to the collection;or

(d) if the information is collected in the course of the activities of anon-profit organisation – the following conditions are satisfied:

(i) the information relates solely to the members of theorganisation or to individuals who have regular contactwith it in connection with its activities;

(ii) at or before the time of collecting the information, theorganisation undertakes to the individual whom theinformation concerns that the organisation will notdisclose the information without the individual’s consent;or

(e) the collection is necessary for the establishment, exercise ordefence of a legal or equitable claim.

(ii) the compilation or analysis of statistics relevant to publichealth or public safety;

(iii) the management, funding or monitoring of a healthservice; and

(b) that purpose cannot be served by the collection of informationthat does not identify the individual or from which the individual’sidentity cannot reasonably be ascertained; and

(c) it is impracticable for the organisation to seek the individual’sconsent to the collection; and

(d) the information is collected:

(i) as required by law (other than this Act); or

(ii) in accordance with rules established by competent healthor medical bodies that deal with obligations ofprofessional confidentiality which bind the organisation; or

(iii) in accordance with guidelines approved by theCommissioner under section 95A for the purposes of thissubparagraph.

10.4 If an organisation collects health information about an individual inaccordance with subclause 10.3, the organisation must takereasonable steps to permanently de-identify the information before theorganisation discloses it.

Appendix 5

Information Privacy Principles

The Information Privacy Principles as set out in s.14 of the Privacy Act 1988are as follows:

Principle 1

Manner and purpose of collection of personal information

1. Personal information shall not be collected by a collector for inclusionin a record or in a generally available publication unless:

(a) the information is collected for a purpose that is a lawful purposedirectly related to a function or activity of the collector; and

(b) the collection of the information is necessary for or directlyrelated to that purpose.

2. Personal information shall not be collected by a collector by unlawful orunfair means.

Principle 2

Solicitation of personal information from individualconcerned

Where:

(a) a collector collects personal information for inclusion in a recordor in a generally available publication; and

(b) the information is solicited by the collector from the individualconcerned;

the collector shall take such steps (if any) as are, in the circumstances,reasonable to ensure that, before the information is collected or, if thatis not practicable, as soon as practicable after the information iscollected, the individual concerned is generally aware of:

(c) the purpose for which the information is being collected;

(d) if the collection of the information is authorised or required by orunder law – the fact that the collection of the information is soauthorised or required; and

(e) any person to whom, or any body or agency to which, it is thecollector’s usual practice to disclose personal information of thekind so collected, and (if known by the collector) any person towhom, or any body or agency to which, it is the usual practice ofthat first-mentioned person, body or agency to pass on thatinformation.

Principle 3

Solicitation of personal information generally

Where:

(a) a collector collects personal information for inclusion in a recordor in a generally available publication; and

(b) the information is solicited by the collector;the collector shall take such steps (if any) as are, in the circumstances,reasonable to ensure that, having regard to the purpose for which theinformation is collected:

(c) the information collected is relevant to that purpose and is up todate and complete; and

(d) the collection of the information does not intrude to anunreasonable extent upon the personal affairs of the individualconcerned.

Principle 4

Storage and security of personal information

A record-keeper who has possession or control of a record thatcontains personal information shall ensure:

(a) that the record is protected, by such security safeguards as it isreasonable in the circumstances to take, against loss, againstunauthorised access, use, modification or disclosure, andagainst other misuse; and

(b) that if it is necessary for the record to be given to a person inconnection with the provision of a service to the record-keeper,everything reasonably within the power of the record-keeper isdone to prevent unauthorised use or disclosure of informationcontained in the record.

Principle 5

Information relating to records kept by record-keeper

1. A record-keeper who has possession or control of records that containpersonal information shall, subject to clause 2 of this Principle, takesuch steps as are, in the circumstances, reasonable to enable anyperson to ascertain:

(a) whether the record-keeper has possession or control of anyrecords that contain personal information; and

(b) if the record-keeper has possession or control of a record thatcontains such information:

(i) the nature of that information;

(ii) the main purposes for which that information is used; and

(iii) the steps that the person should take if the person wishesto obtain access to the record.

2. A record-keeper is not required under clause 1 of this Principle to givea person information if the record-keeper is required or authorised torefuse to give that information to the person under the applicableprovisions of any law of the Commonwealth that provides for access bypersons to documents.

3. A record-keeper shall maintain a record setting out:

(a) the nature of the records of personal information kept by or onbehalf of the record-keeper;

(b) the purpose for which each type of record is kept;

(c) the classes of individuals about whom records are kept;

(d) the period for which each type of record is kept;

(e) the persons who are entitled to have access to personalinformation contained in the records and the conditions underwhich they are entitled to have that access; and

(f) the steps that should be taken by persons wishing to obtainaccess to that information.

4. A record-keeper shall:

(a) make the record maintained under clause 3 of this Principleavailable for inspection by members of the public; and

(b) give the Commissioner, in the month of June in each year, acopy of the record so maintained.

Principle 6

Access to records containing personal information

Where a record-keeper has possession or control of a record thatcontains personal information, the individual concerned shall beentitled to have access to that record, except to the extent that therecord-keeper is required or authorised to refuse to provide theindividual with access to that record under the applicable provisions ofany law of the Commonwealth that provides for access by persons todocuments.

Principle 7

Alteration of records containing personal information

1. A record-keeper who has possession or control of a record thatcontains personal information shall take such steps (if any), by way ofmaking appropriate corrections, deletions and additions as are, in thecircumstances, reasonable to ensure that the record:

(a) is accurate; and

(b) is, having regard to the purpose for which the information wascollected or is to be used and to any purpose that is directlyrelated to that purpose, relevant, up to date, complete and notmisleading.

2. The obligation imposed on a record-keeper by clause 1 is subject toany applicable limitation in a law of the Commonwealth that provides aright to require the correction or amendment of documents.

3. Where:

(a) the record-keeper of a record containing personal information isnot willing to amend that record, by making a correction, deletionor addition, in accordance with a request by the individualconcerned; and

(b) no decision or recommendation to the effect that the recordshould be amended wholly or partly in accordance with thatrequest has been made under the applicable provisions of a lawof the Commonwealth;

the record-keeper shall, if so requested by the individual concerned,take such steps (if any) as are reasonable in the circumstances toattach to the record any statement provided by that individual of thecorrection, deletion or addition sought.

Principle 8

Record-keeper to check accuracy etc. of personalinformation before use

A record-keeper who has possession or control of a record thatcontains personal information shall not use that information withouttaking such steps (if any) as are, in the circumstances, reasonable toensure that, having regard to the purpose for which the information isproposed to be used, the information is accurate, up to date andcomplete.

Principle 9

Personal information to be used only for relevant purposes

A record-keeper who has possession or control of a record thatcontains personal information shall not use the information except for apurpose to which the information is relevant.

Principle 10

Limits on use of personal information

1. A record-keeper who has possession or control of a record thatcontains personal information that was obtained for a particularpurpose shall not use the information for any other purpose unless:

(a) the individual concerned has consented to use of the informationfor that other purpose;

(b) the record-keeper believes on reasonable grounds that use ofthe information for that other purpose is necessary to prevent orlessen a serious and imminent threat to the life or health of theindividual concerned or another person;

(c) use of the information for that other purpose is required orauthorised by or under law;

(d) use of the information for that other purpose is reasonablynecessary for enforcement of the criminal law or of a lawimposing a pecuniary penalty, or for the protection of the publicrevenue; or

(e) the purpose for which the information is used is directly relatedto the purpose for which the information was obtained.

2. Where personal information is used for enforcement of the criminal lawor of a law imposing a pecuniary penalty, or for the protection of thepublic revenue, the record-keeper shall include in the record containingthat information a note of that use.

Principle 11

Limits on disclosure of personal information

1. A record-keeper who has possession or control of a record thatcontains personal information shall not disclose the information to aperson, body or agency (other than the individual concerned) unless:

(a) the individual concerned is reasonably likely to have beenaware, or made aware under Principle 2, that information of thatkind is usually passed to that person, body or agency;

(b) the individual concerned has consented to the disclosure;

(c) the record-keeper believes on reasonable grounds that thedisclosure is necessary to prevent or lessen a serious andimminent threat to the life or health of the individual concernedor of another person;

(d) the disclosure is required or authorised by or under law; or

(e) the disclosure is reasonably necessary for the enforcement ofthe criminal law or of a law imposing a pecuniary penalty, or forthe protection of the public revenue.

2. Where personal information is disclosed for the purposes ofenforcement of the criminal law or of a law imposing a pecuniarypenalty, or for the purpose of the protection of the public revenue, therecord-keeper shall include in the record containing that information anote of the disclosure.

3. A person, body or agency to whom personal information is disclosedunder clause 1 of this Principle shall not use or disclose the informationfor a purpose other than the purpose for which the information wasgiven to the person, body or agency.

Appendix 6

Community Attitudes towards Privacy 2004

This survey was conducted by Roy Morgan Research in May 2004. Theobjectives of the research were to:

Identify current privacy behaviour

Identify community expectations about privacy

Identify perceptions and beliefs about appropriate levels of privacy

Gauge levels of knowledge about privacy

Gauge levels of knowledge about privacy laws and the OFPC

Find any shifts in these perceptions to get information about the impact ofthe Office’s activities or the Privacy Act.

Knowledge of privacy rights

The number of respondents who say they have adequate knowledge hasincreased from 2001 (18%) to 26% in 2004

But levels are still low – only one in four people surveyed claimedadequate knowledge of privacy rights. 38% of people know very little ornothing about their privacy rights, although this figure has decreased from52% in 2001

In the 2001 study, 52% of the younger respondents (18-24) claimed toknow very little about their rights. By 2004, this had reduced to 36%, whichis not significantly different to the rest of the population 18+.

Level of knowledge of privacy

53% of respondents knew that government agencies are covered byprivacy law though 26% of people thought that they were not and 21% ofrespondents did not know

56% of people know that banks, insurance companies and other financialinstitutions are covered by privacy law (while 29% think not and 14% donot know)

47% of respondents knew that there are some restrictions on charities,private schools and private hospital and other NGOs (while 32% think not21% did not know)

Males have higher level of knowledge about the coverage of governmentdepartments by the Privacy Act

Respondents with more education were more likely to have higher level ofknowledge about the coverage of the Privacy Act.

This research indicates that there is still a great deal of misunderstandingamongst half the population about privacy laws.

Awareness of Privacy Commissioner

There has been little change in awareness of Federal PrivacyCommissioner between 2001 (36%) and 2004 (34%)

Males have a higher awareness (40%) than females (28%)

The lowest levels of awareness are among 18 – 24 year olds (26%)

BUT only 7% of respondents would report the misuse of information to theFederal or State Privacy Commissioner. 19% of respondents said theywould report it to the ombudsman, 15% would report it to the organisationinvolved, 13% would report it to the Police, 10% would report it to the localconsumer affairs office and 8% of respondents said that they would reportit to their local or state MP

However, there has been a steady increase in awareness about theFederal privacy Commissioner from 1994 where 2% reported that theywould report misuse of personal information to the Office to 2001 wherethe figure rose to 5% to 2004 where it hit 7%.

These figures indicate that even if respondents know about the Office, they donot know what the Office’s role is.

Trust in organisations

Levels of trust have increased in some organisations between 2001 and 2004including:

Health service providers

Financial organisations

Market research companies

Government organisations

Retailers

Real estate agents

BUT not internet sales companies

Overall, health service providers are the most trusted organisations, followedby financial organisations, government organisations, charities, retailers,market research orgs, real estates with the last being internet organisations.There has been little change in mean levels of trustworthiness between 2001and 2004.

Perceptions of invasions of privacy

Still high levels of people (approximately 90-95%) regard the following asinvasions of privacy:

Business gets hold of personal information

Business monitors internet activity without permission

Business uses personal info for alternate purpose

Business asks for irrelevant personal info

But asking for ID is not regarded by most as an invasion of privacy

38% of respondents reported that there had been an increase in incidenceof asking for ID, while the majority 56% claimed it was about the same and4% claimed there was a decrease.

Reluctance to provide personal information

The studies in 2001 and 2004 show reluctance to provide similar kinds ofpersonal information including:

Financial information – bank accounts/ income information is by far andaway the most sensitive information which people are reticent to disclose

Contact details – especially phone number

Health information.

Reasons for reluctance include an increase in concern about crime and adesire to avoid being sent unsolicited material.

Protective behaviours

Compared with the 2001 survey the 2004 research indicated mixed resultsabout awareness of privacy issues. Respondents in 2004 were more likely toleave information off forms, but less likely to refuse to deal with anorganisation.

Marketing material, the electoral roll and the white pages

The number of people who totally disagreed with use of the Electoral Roll formarketing has increased by 7% from 70% to 77%.

The number of people who totally disagree with use of white pages hasstayed the same (46%). The number of people who agree has increased from42% to 44%.

Trade off between privacy and customer service

According to the research the most important elements of a privacy policywere:

How the information will be used (this was by far the most importantinformation included in a privacy policy)

If and when the information will be passed on

What information will be kept.

Government departments and privacy

Unique identifier for ID purposes and to access government services on theinternet:

53% of people were in favour of a unique identifier for these purposes,though 41% of people were against this idea

Males favoured the idea of a government identifier more than women

Respondents on higher incomes were more in favour of a governmentidentifier than respondents on lower income.

Circumstances under which government departments should be able to shareinformation

The majority of respondents agree that government departments shouldbe able to share information, but only in some circumstances

Only 9% of people said that departments should be able to shareinformation under any circumstances, while 24% of people said not underany circumstances

Males (11%) were more likely agree to sharing under any circumstancesthan women (8%)

People on lower incomes were more likely to say that governmentdepartments should not share information under any circumstances (27%)

People over 50 (13%) were more likely to agree to sharing under anycircumstances, than younger people (4%).

Purposes for which government departments should be able to shareinformation most often cited were (in order of frequency) to:

Prevent crime

Update information

Improve efficiency – lowest.

Health services

Attitudes towards Doctors discussing medial details with other healthprofessionals without consent if they thought that it would assist treatment

Slight increase in people being comfortable with doctors discussing healthinfo with other doctors if would help health outcome from 53% in to 2001 to60% in 2004

Males are more likely to be comfortable with this than females

Older people are more likely to be comfortable with this than youngerpeople

Respondents with less education were more likely to assent to this thanpeople with higher education.

Attitudes towards a health number to enable the government to better trackthe use of Health Services:

57% of respondents agreed to a health number to track services including28% who strongly agreed

36% of people disagree with this idea while 4% are undecided

Males, young people and older people are more likely to agree.Slightly more people agree with the idea of a health number (57%) than agovernment number (53%).

Inclusion in health database

64% of people think inclusion should be voluntary compared to 66% in2001

32% of people think that inclusion should be a matter of course (comparedto 28% in 2001)

Males (35%), and older people (37%) were more likely to think inclusionshould be a matter of course

Permission for use of de-identified health information forResearch

64% of people think that permission should be sought

33% of respondents think that permission is not necessary

Females (68%) were more likely to think that permissions should besought than males (59%)

18 – 24 year olds most likely to think permission should be sought (71%)

People with less education were more likely to think that permissionshould be sought.

Privacy in the Workplace

Respondent views were polarized on the issue of reading Work emails:

One quarter (23%) of respondents think employers should be able to reademails

One third (34%) think employers should not have this right.

Males (26%) more likely to agree with employers reading work emails thanfemales (19%) and respondents over 35 (25%) years of age were more likelyto agree with this than 18-34 year olds (16%).

Views on employers using surveillance equipment and monitoring devicesthat track what employees type are similar with roughly one quarter agreeingwith the use of these surveillance techniques and one third disagreeing.

There was more concern about the monitoring of telephone conversations byemployers:

Only 5% of people thought it was acceptable for employers to do thiswhenever they choose though 35% of people agreed with it for quality ofservice purposes

59% of respondents said that employee drug testing should only beconducted when it is necessary to ensure safety

83% of respondents stated that a workplace privacy policy is important tohave.

Internet usage

65% of respondents use the internet once a week or more (up from 51% in2001).

The level of concern about security of personal information when dealing overthe internet has risen since 2001 from 57% to 62% in 2004.

More people are reading privacy policies in 2004 (67%) than in 2001 (55%):

The people who said they had adequate amount of privacy knowledge aremore likely to read privacy policies

However, those who said they had more concerns about security were nomore likely to read privacy policy than those with fewer concerns

Reading a privacy policy online made 14% of people more comfortableand secure whereas in 2001 it assuaged the fears of 18% of respondents.

Other findings from the survey about online behaviour include that:

3 in 10 give false information online. Younger people are more likely to dothis than older people

80% of people regularly update antivirus software

49% use a firewall

48% have at some stage rejected cookies

47% use a spam filter

38% use temporary email accounts

28% use software to protect anonymity.

Appendix 7

Information Sheet 13:

Ensuring that organisations comply with their obligations under the PrivacyAct is one of the Office’s most important functions. Good advice and goodrules only make a real difference if they are put into practice.

This information sheet sets out the approach the Office intends to take topromoting compliance with the requirements of the Privacy Act and themechanisms the Act provides to accomplish this objective.

Privacy solutions

Our Strategic Plan, launched in March 2000, explicitly states that the primaryvalue we seek to deliver to our stakeholders stems from developing privacysolutions that build confidence throughout the Australian community. Inimplementing the new provisions in the Privacy Act, the Office will be seekingto find privacy solutions that deliver good privacy protection for individualAustralians while imposing no undue burdens on the organisations involved.

Advice and assistance in preference to punishment

The Office takes the approach that compliance will be achieved most often byhelping organisations to comply rather than seeking out and punishing the feworganisations that do not. The large majority of Australian organisations in theprivate sector wish to comply with their legal obligations. The Office’semphasis will be on providing advice, assistance and information. This is ourfirst and preferred approach at all times. Our experience indicates that suchan approach will be all that is necessary to resolve the large majority ofmatters that come to our attention.

Nevertheless, when breaches of the Act are identified they will be activelypursued. The Office will take care to ensure that breaches of the Act areremedied and complainants’ concerns addressed, including throughcompensation where that is warranted.

Investigating and resolving complaints

In line with this focus, the Office’s approach to handling complaints is onewhich aims at achieving fair and workable outcomes for the parties involved.In summary, our process is based on taking the following steps:

When we receive a complaint, we first check if the parties have attemptedto resolve their differences directly and, if not, whether it would beappropriate for them to try. For private sector organisations covered by theNational Privacy Principles or an approved code under Part IIIAA of theAct, this is mandated by section 40(1A) of the Act. In other words, weencourage internal complaints handling at the organisational level as a firststep

If this fails, we enter a stage of conciliation based on accepted principles ofalternative dispute resolution. In most cases, we rely on phone calls andletters to the parties. In a small proportion of more intractable matters, wemay meet with the parties face to face

This process has been very successful in the established areas of theCommissioner’s jurisdiction, which cover Commonwealth governmentagencies, tax file numbers, spent convictions and the consumer creditreporting industry. Most complaints are closed under section 41(2)(a) onthe grounds that the respondent has adequately dealt with the matterrather than by the Commissioner issuing a formal determination

In the large majority of complaints over the last five years, resolution hasinvolved measures other than monetary compensation. Only around sixper cent of complaints have involved financial compensation. In all but afew serious matters, the amounts have been between $500 and $3,000

The Commissioner has the power to make a formal determination inrelation to complaints (s.52). A determination may prohibit the respondentorganisation from continuing or repeating conduct that has breached theAct. It may direct the organisation to perform any reasonable course ofconduct to redress loss or damage suffered by the complainant. It maydirect the organisation to pay a specified amount to the complainant byway of compensation. However, in the last 12 years, successiveCommissioners have found it necessary to use the formal determinationmaking power under s.52 in only two case

If the parties do not comply with the terms of a determination, s.55A of theAct allows us to approach the Federal Court or the Federal MagistratesCourt to seek enforcement via a new (de novo) hearing. So far, the Officehas never needed to take this step.

Commissioner-initiated investigations

The Office will take the same approach in relation to investigations that theCommissioner conducts on his or her own initiative.

The Privacy Act (s.40(2)) gives the Commissioner the power to carry out aninvestigation without having received a complaint. This power is available ifthere may have been an interference with privacy and the Commissionerthinks it is desirable that the matter be investigated. This power may be usedwhere there appears to be a serious breach of privacy that has strong publicinterest implications. Whether the Office has received complaints about theorganisation in the past is also a factor.

The first approach in these cases is to write to the organisation asking forfurther information. If there then appears to have been a breach of the Act, theaction the Office takes will depend upon the respondent’s acknowledgment ofthe breach and its preparedness to take appropriate remedial action.

Injunctions

The Commissioner has powers under s.98 of the Act to seek an injunctionfrom the Federal Court to ensure compliance with the Act. An injunction mayprohibit an organisation from engaging in conduct that would breach the Actor require it to take steps to bring itself into compliance with the Act. Aninjunction may be sought in relation to a complaint investigation or an owninitiative investigation. Again, successive Commissioners have not sought anyinjunctions so far and this step would be taken only when other more informalmeans have failed to yield a satisfactory outcome.

Reporting to the public

The Office includes in its annual report some cases studies on complaints ithas handled and investigations it has carried out. These are reported insummary form and do not generally identify the complainant or respondent.With the new private sector provisions, the Office plans to add to thisapproach by publishing more frequent, de-identified case notes on complaintsit has handled. The aim of these will be to help organisations and thecommunity understand the way the Office applies the provisions of the Actand, where relevant, the provisions of approved codes.On occasion there may be some merit in making public the circumstances ofa particular complaint or investigation. This may be, for example, where thereis already publicity around a particular matter before it reaches the Office orwhere, despite all the other approaches the Office has taken, an organisationcontinues to engage in behaviour that constitutes an interference with privacy.This would clearly be a serious step which could have commercialconsequences for the organisation concerned. It would only be appropriate inrare circumstances. In the ordinary course of events, the Commissioner wouldnot consider such a step unless:

an organisation either repeatedly or very seriously breaches the PrivacyAct

the organisation demonstrates by its actions that it does not intend tocomply with its legal obligations, and

all other measures have failed to change the organisation’s behaviour.

We will signal our intentions

The Office will not take action in relation to an organisation without first givingit fair warning of our intentions. Our objective is to assist organisations tocomply with their obligations under the Act. Openness and predictability areimportant means of accomplishing this objective.

We will take measures proportional with the seriousness ofthe issues

The strength of the measures the Office takes in relation to a particular matterwill be proportional to its seriousness. The Office will not be taking strongmeasures in relation to minor breaches of the law. However, in the mostserious matters, the Office will be prepared to use any mechanism availableunder the Act to achieve an acceptable privacy outcome.

In assessing the seriousness of any particular matter the Office will consider:

the number of individuals involved

what disadvantage they have suffered

whether the matter raises ongoing systemic issues, or is a one-off incident,and

the willingness of the organisation to take action to resolve the matter andto prevent recurrence - in assessing this, the organisation’s track record inprivacy matters will be taken into account.

About Information Sheets

Information sheets are advisory only and are not legally binding. (The NPPsin Schedule 3 of the Privacy Act 1988 (Cth) (the Privacy Act) do legally bindorganisations.)

Information sheets are based on the Office’s understanding of how thePrivacy Act works. They provide explanations of some of the terms used inthe NPPs and good practice or compliance tips. They are intended to helporganisations apply the NPPs in ordinary circumstances. Organisations mayneed to seek separate legal advice on the application of the Privacy Act totheir particular situation.

Nothing in an information sheet limits the Privacy Commissioner’s freedom toinvestigate complaints under the Privacy Act or to apply the NPPs in the waythat seems most appropriate to the facts of the case being dealt with.

Organisations may also wish to consult the Commissioner’s guidelines andother information sheets.

Appendix 8

Complaints under the Privacy Act

Individuals who believe that their personal information has been interferedwith in some way may complain to the Privacy Commissioner. The complaintmay be against an organisation or an agency and must be made inaccordance with section 36 of the Act. Individuals cannot complain to thePrivacy Commissioner about organisations that are bound by an approvedprivacy code except where the Commissioner is the adjudicator for that code.However, individuals may ask the Commissioner to review a determinationmade by a code adjudicator (section 18BI). Representative complaints mayalso be lodged and accepted by the Office in relation to a privacy issue thataffects two or more complainants.

A complaint must be in writing. The Office must provide appropriateassistance to people who require assistance to formulate their complaint. Thecomplaint should specify the respondent that is the subject of the complaint,as well as specify what the act or practice of the agency or organisation was,or may continue to be, that allegedly breaches the Act. These requirementsare outlined in Section 36 of the Act. Additionally, Section 38 describes theconditions required for a representative complaint to be made under the Act.

Individuals must first complain the respondent

Generally speaking the Commissioner will not investigate a complaint unlessthe individual has first complained to the organisation. The Commissionerhas the discretion to waive this requirement, however, if it would not beappropriate for the individual to approach the respondent. This might includecircumstances where the person responsible for the privacy breach wouldalso investigate the complaint or where there is potential harm to theindividual.

Preliminary Enquiry before an investigation

The Office conducts preliminary enquiries where it is not clear whether theCommissioner should investigate a complaint, for example because theorganisation concerned may not be within jurisdiction.

A preliminary enquiry is an initial fact-finding exercise conducted by the Office.Section 42 gives the Office the power to contact the respondent named in thecomplaint in order to gather general information about the respondent in orderto, for example, determine whether it may be exempt under the Act. It is notautomatic that the complainant’s identity would need to be made known to therespondent in order for the Office to be able to at least partly progress thecomplaint in the preliminary enquiry stage.

Deciding not to investigate

The Act provides a number grounds on which the Commissioner may decidenot to investigate, or not to investigate further, a complaint. The grounds areset out in section 41 and include where the complainant has known about thematter for over 12 months, where it is evident that there is no interference withprivacy, or where the matter is better dealt with under another law.

The Office looks at the circumstances of the complaint before decidingwhether to exercise discretion not to investigate. For example, where theindividual has known about the complaint for over 12 months, theCommissioner may still investigate if the complainant can demonstrate somegood reason for the delay and the respondent has suffered no prejudice as aresult of the delay.

Investigating complaints

The Office may investigate a complaint under section 40(1) of the Act if:

it is about an act or practice may be an interference with the privacy of anindividual

the complaint is against an organisation or agency and

a complaint has been lodged with the Office in accordance with section 36.

Section 16E states that acts or practices that may be an interference with theprivacy of an individual, but appear to have been committed by anotherindividual acting in a private capacity, are not covered by the Act.

The Office has a backlog of complaints awaiting investigation. Complaints(preliminary enquiries and investigations) that do not meet the criteria for anurgent investigation are a queue according to date of receipt.

A complaint may be investigated urgently in limited circumstances. Theseinclude:

where it appears that the complainant is currently suffering significantdisadvantage as a result of the events described in the complaint, and thedisadvantage is likely to be eliminated, or substantially diminished, byprompt resolution of the complaint

where it appears that the complainant will suffer future significantdisadvantage unless the complaint is resolved promptly

where the complaint appears to raise systemic issues that affect a largenumber of individuals or

where the incident complained of is particularly serious and thecircumstances suggest that delay in investigation will substantially reducethe probability of obtaining an appropriate resolution.

Under section 40(2) of the Act, the Office may decide it is desirable toinvestigate possible interferences with privacy where there is no individualcomplaint. The Office calls such investigations ‘own motion Investigations’(OMI). An OMI may be launched as a result of information that has come tothe Office, for example, via published media stories or information provided byan individual who wishes to remain anonymous.

Conducting investigations

The Act requires the Commissioner and staff to only disclose information thathas come into their possession in the course of their duties. As well, theCommissioner and staff of the Office cannot be compelled to furnishinformation acquired by them as a consequence of them performing the dutiesprescribed under the Act, except for the circumstances outlined in the Act(section 96).

Section 43(2) of the Act provides that investigations should be conducted ‘inprivate’ but otherwise the Commissioner has discretion as to the manner inwhich any investigation it commences may be conducted.

Generally speaking, in the interests of procedural fairness, parties to thecomplaint will have access to any information that the Office is considering.However, the Office will consider requests from the complainant orrespondent that the information they have provided, or intend to provide, tothe Office remain confidential. The Office will firstly seek to discuss thisrequest with either party where it may appear that a resolution of thecomplaint could be substantially affected by the request. It is worth notingthat the Office’s ability to investigate a complaint, and to achieve a satisfactoryresolution, may be significantly hampered by a party to the complaint insistingthat their submission remain ‘in confidence’.

The Commissioner has the power to compel a person to provide informationor documentation as part of the investigation into an alleged interference withan individual’s privacy. The person may be required to provide the requiredinformation or documentation in writing, or in person (section 44).

The Commissioner may authorise staff, with the organisation’s consent orunder a warrant issued by a Magistrate, to enter the premises of anorganisation which is the subject of an investigation or in relation to whichenforcement of a determination is sought (section 68).

The Office must also to provide parties likely to be adversely affected by adetermination with reasonable opportunity to appear before the Commissionerbefore a finding under section 52 of the Act is made. Under section 43(5) ofthe Act, the Commissioner may only make a determination after thecomplainant or respondent has been provided with the opportunity to appearbefore the Commissioner and to make submissions, orally, in writing or both.Apart from this there is no general obligation on the Office to allow parties toappear before the Commissioner.

A complainant will often have a specific remedy in mind in relation to thecomplaint made against the agency or organisation. The Office uses theprocess of statutory conciliation with the aim of negotiating remedies for thecomplaint in question.

The Office’s role is to provide impartial assistance to both parties to reach aresolution of a complaint. In the process of conciliation the parties may cometo any resolution that that is acceptable to both.

Where a complaint cannot be resolved by conciliation and the Commissionermakes a determination, the remedies available to the Commissioner arebroadly prescribed under section 52 of the Act. They include, for example, afinding that compensation is payable to the complainant.

Possible outcomes of an investigation

Before a final decision in relation to a complaint, the Office will arrive at apreliminary view about the complaint, and provide this view in writing to theparties involved in the complaint for their comment before the final decision ismade. A preliminary view is essentially a draft decision about the complaintunder consideration and provides both parties with a right of rebuttal inrelation to the evidence that the decision has been based on.

A preliminary view may be issued prior to, or after, conciliation between theparties involved in the complaint has been attempted.

A determination is a legal decision or finding made by the Commissioner, as aconsequence of which the Act’s enforcement powers are activated (sections52-62 of the Act). The determination may dismiss the complaint, or find thatthe complaint has been substantiated and make declarations about actionneeded, including that conduct should cease or not be repeated, the nature ofredress and compensation, or that no further action is needed.

Particular complaints made to the Office may fall under the jurisdiction of aPrivacy Code that has been given prior approval by the Commissioner. Assuch, any investigation of that complaint is carried out by the complainthandling body (independent adjudicator) established for that particular Code,which also has the same determinative powers as the Commissioner doesunder Section 52 of the Act (section 18BB(3)). As noted earlier, this Officemay also act as the final adjudicator in relation to a complaint.

Enforcement refers to the steps as outlined in the Act by which theCommissioner seeks a respondent’s adherence to the determination that theCommissioner has made in respect of the privacy complaint made againstthat respondent (sections 54-62).

Other matters

Injunctions may be sought through the Federal Court or Federal Magistrate’sCourt by the Commissioner or any other person against a person who hasengaged, or is proposing to engage in any conduct that constituted, or couldconstitute, a contravention of the Act (section 98).

Appendix 9

Complaints Statistics

The Office of the Privacy Commissioner has received a total of 3575complaints since the introduction of the private sector provisions in thePrivacy Act (21 December 2001 – 31 January 2005). Of these complaints,2358 (66%) concerned the National Privacy Principles (NPPs) in the Act.

The number of complaints received by financial year has increasedsignificantly over this period from 194 complaints received in the 2000-2001financial year to 1276 complaints received in 2003-2004.

Complaints Received by Financial Year

2003-2004 – 1276

2002-2003 - 1090

2001-2003 – 632

2000-2001 - 194

This increase can be largely attributed to the rapid growth in the number ofcomplaints received concerning the NPPs since December 2001. Thefollowing graph, showing complaints received by jurisdictional area, clearlyillustrates this increase:

Complaints Received by Issue Typeby Financial Year

NB: The graph illustrating this is available in the pdf at page 326.

Complaints Closed

Over the review period (21 December 2001 – 31 January 2005), the Officeclosed 3137 complaints compared with 3575 complaints received.

Whilst the Office has received more complaints that it has closed since21 December 2001, the Office has kept pace with the growth in the number ofcomplaints received, as shown in the following graph:

Complaints Received and ClosedBy Financial Year

2001-2002 – Received - 632, Closed – 374

2002-2003 – Received – 1090, Closed – 963

2003-2004 – Received – 1276, Closed - 1238

Complaint Outcomes

Section 41 of the Act outlines circumstances in which the Commissioner orher delegates can decide not to investigate, or not investigate further,complaints received under the Act. In most cases, complaints received by theOffice are declined or finalised using these powers. In a very small number ofcases the Commissioner has finalised a complaint by making a determinationunder section 52 of the Act.

The following graph shows the grounds by which complaints made under theprivate sector provisions (NPP complaints) were closed by the Office. Thisincludes NPP complaints that were declined without investigation as well asNPP complaints that were investigated or where preliminary enquiries wereconducted.

Outcome of Closed NPP Complaints

Complaints Closed from 21 Dec 01- 31 Jan 05

Not a breach of the Act – 28%

The respondent has adequately dealt with the complaint – 20%

No within jurisdiction – 24%

Other – 6%

Lost contact or withdrawn – 3%

Respondent not had opportunity to deal with the matter – 19%

As shown in the previous graph, 24% of NPP complaints were closed on thegrounds that the matter did not fall within the jurisdiction of the Office. Ofthese complaints, 48.6% were closed due to the application of the exemptionsto the NPPs. The following graph shows the breakdown of this general “Notwithin jurisdiction” category, and illustrates the operation of the exemptionsunder the Act.

NPP Complaints Closed as Outside Jurisdiction

Complaints Closed from 21 Dec 01- 31 Jan 05

Journalism Exemption – 1%

Employee Record Exemption – 12%

NPPs did not yet apply to act or practice – 25%

State & Local Government Exemption – 16%

Small Business Exemption – 20%

Political Exemption – 0.4%

Not Under Act – 26%

Complaints by Issue Type

The issues raised in complaints tend to cluster around a few of the privacyprinciples, in particular, the principles dealing with collection (NPPs 1 & 10),disclosure (NPP 2) and access (NPP 6).

The following graph shows the number of NPP complaints received accordingto issue type (it should be noted that complaints may be recorded under morethan one issue type).

Complaints Received By Issue Type

Complaints received from 21 Dec 01 - 31 Jan 05

Collection – 517

Direct Marketing – 168

Use – 309

Disclosure – 805

Data Quality – 327

Data Security – 265

Access – 461

Other - 54

Whilst this graph shows the issues most likely to arise in complaints receivedby the Office, it does not necessarily follow that these issues are mostrecurrent in cases where the Commissioner assesses that there may have bea breach of the Act.

The Commissioner may close a complaint under section 41(2)(a) of the Act,where the Commissioner is satisfied that the respondent organisation hasadequately dealt with the complaint. Complaints are closed using thisprovision in the Act where the respondent was found to be in breach of theAct and then took adequate steps to resolve the matter and where therespondent adequately resolved the matter without a formal investigationhaving been commenced. As such, an analysis of the number of complaintsclosed as adequately dealt with provides an indication of the number ofcomplaints that were substantiated.

The following graph shows the breakdown of issues in complaints closed onthe grounds that the respondent had adequately dealt with the privacy issuesraised.

Privacy Complaints Resolved by the Respondentfollowing Intervention by the OPC

Complaints closed from 21 Dec 01 - 31 Jan 05

Collection – 42

Direct Marketing – 22

Use – 22

Disclosure – 65

Data Quality – 54

Data Security – 54

Access – 112

Other - 11

It is noteworthy, that whilst disclosure was the most commonly raised issue incomplaints received by the Office, a much smaller proportion of complaintsclosed as adequately dealt with, concerned disclosure issues. Conversely,the figures suggest that a disproportionate number of complaints concerningaccess issues were substantiated, requiring action on the part of therespondent to resolve the matters raised.

Complaints by Respondent Sector

The following graph shows the number of NPP complaints received accordingto industry sector, with finance sector organisations most frequently named asrespondents in the NPP complaints received, followed by health andtelecommunications sector organisations.

Complaints Received by Industry Sector

Complaints received from 21 Dec 01 - 31 Jan 05

Finance – 428

Health Service Providers – 330

Telecommunications – 223

Priv Invest/ Debt Coll/ CRAs/ Tenancy DB – 194

Insurance – 153

Real Estate – 143

Retail – 107

Legal, Accounting & Management Services – 79

Theatres/ Libraries/ Sport/ Media – 71

Property & Business Services - 68

Again, these figures can be compared with the number of NPP complaintsclosed where the respondent took action to resolve the privacy issue. In thiscase, the number of complaints closed as adequately dealt with was,generally speaking, proportional to the number of complaints received againstthat sector.

Complaints Resolved following invervention by OPC

Complaints Closed from 21 Dec 01 - 31 Jan 05

Finance – 80

Health Service Providers – 57

Telecommunications – 34

Retail – 20

Priv Invest/ Debt Coll/ CRAs/ Tenancy DB – 18

Insurance – 16

Property & Business Services – 10

Real Estate – 9

Business & Prof Associations – 8

Superannuation - 8

Enquiries Statistics

The OPC has received 67,486 phone enquiries and 6353 written enquiriessince the introduction of the private sector provisions in the Privacy Act(21 December 2001 – 31 January 2005).

More than half of the NPP enquiries received by the Office were made byindividuals seeking advice regarding their privacy rights. Specifically, 65% ofphone enquiries and 56% of written enquiries concerning the NPPs weremade by individuals. The remaining enquiries were largely received fromorganisations seeking advice about their responsibilities under the Act, oradvice regarding the application of the Act in general.

The number of phone and written enquiries received increased significantlyfollowing the introduction of the private sector provisions in the Act inDecember 2001, and has since remained fairly stable, as shown in thefollowing graphs:

Phone Enquiries Received by Financial Year

2003-2004 – 20207

2002-2003 – 21290

2001-2002 – 21033

2000-2001 - 8177

Written Enquiries Received by Financial Year

2003-2004 – 2206

2002-2003 – 2382

2001-2002 – 2700

2000-2001 - 884

Enquiries by Issue Type

As with complaints received by the Office, the issues raised in enquiries tendto cluster around a few of the privacy principles, in particular, the principlesdealing with use and disclosure (NPP 2), collection (NPPs 1 & 10) and access(NPP 6). A significant number of enquiries received also concerned theexemptions to the NPPs, such as the employee records exemption and thesmall business operator exemption.

The following graphs show the numbers of NPP phone and written enquiriesreceived respectively according to issue type.

NPP Phone Enquiries by Issue Type

Phone enquiries received from 21 Dec 01 - 31 Jan 05

Collection – 6571

Use and Disclosure – 14255

Data Quality – 657

Data Security – 1824

Privacy Policies – 535

Access – 6517

Other NPP Issues – 314

New Act General – 5040

NPP Exemptions - 7650

NPP Written Enquiries by Issue Type

Written enquiries received from 21 Dec 01 - 31 Jan 05

Collection – 403

Use and Disclosure – 1539

Data quality – 26

Data Security – 259

Privacy Policies – 51

Access – 310

Other NPP Issues – 44

New Act General – 1060

NPP Exemptions - 432

Enquiries by Industry Sector

The following graphs show the numbers of NPP phone and written enquiriesreceived according to industry sector. For both phone and written enquiries,the industry sector about which the most enquiries were received was thehealth sector.

NPP Phone Enquiries Received by Industry Sector

Phone enquiries received from 21 Dec 01 - 31 Jan 05

Graph shows the ten industry sectors about which the most enquiries were received

Appendix 11

Current Powers to enforce determinations

The Privacy Act allows the Office to take certain action to assess compliancewith a determination, for instance the Office may:

request information from the respondent to assess their compliance withthe Determinations

collect information from other sources (for example from persons whowere complainants in the original complaint against the respondent) that isrelevant to an assessment of whether or not the respondent is complyingwith the Determinations

visit the respondent’s premises and examine their systems with theirconsent

compel the production of documents under section 44 in the event ofanother investigation being conducted into the respondent’s operationsunder Division 1 of Part V of the Privacy Act

authorise a person to enter the respondent’s premises and inspect theirdocuments pursuant to section 68 – that person can then seek a warrantfrom a Magistrate to allow entry into the respondent’s premises if theMagistrate is satisfied that it is ‘reasonably necessary’

commence proceedings for enforcement of the Determinations and seekan interim injunction or orders for discovery.

Appendix 12

Decision Appeal Processes in comparablelegislation

Human Rights and Equal Opportunity Commission

Under section 46PO of the Human Rights and Equal Opportunity CommissionAct 1986, if a complaint has been terminated by the president under section46PE or 46PH and the President has given a notice under subsection46PH(2) in relation to the termination, any person affected in relation to thecomplaint may make an application to the Federal Court or the FederalMagistrates Court, alleging unlawful discrimination by one or more of therespondents to the terminated complaint. A complaint may be terminated forexample if the President is satisfied that the alleged unlawful discrimination isnot unlawful discrimination (section 46PH(1)(a)) or if the President is satisfiedthat there is no reasonable prospect of the matter being settled by conciliation(section 46PH(1)(i)). Powers to conciliate matters under the Human Rightsand Equal Opportunity Commission Act do not extend to the making ofdeterminations.

PRIVACY NSW

As well as making a complaint to the Privacy Commissioner under section 45of the Act, an aggrieved individual may request an internal review undersection 53. Under section 55 of the Privacy and Personal InformationProtection Act 1998 (NSW), if a person who has made an application forinternal review is not satisfied with the findings of the review or the actiontaken by the public sector agency in relation to the application, the personmay apply to the Administrative Decision Tribunal[259]for a review of theconduct that was the subject of the application.

Under Subsection 47(1) of the Health Records Information Privacy Act 2002,the NSW Privacy Commissioner may make a written report as to any findingsor recommendations by the Privacy Commissioner in relation to a complaintdealt with by the Privacy Commissioner. Under section 48, if a complaint isthe subject of a report by the Privacy Commissioner, a person who has madea complaint to the Privacy Commissioner may apply to the Tribunal for aninquiry into the complaint.

PRIVACY VICTORIA

Under section 37 of the Information Privacy Act 2000 (Vic) and section 63 ofthe Health Records Act 2001 (Vic), if conciliation by the Privacy or HealthServices Commissioner is unsuccessful, the complainant may refer the matterto the Victorian Civil and Administrative Tribunal[260].

PRIVACY New Zealand

Under section 83 of the Privacy Act 1993 (NZ), an aggrieved individual maybring proceedings before the Complaints Review Tribunal if the Commissionerbelieves that the complaint does not have substance or that the matter oughtnot to be proceeded with or where the Proceedings Commissioner agrees tothe individual bringing proceedings or declines to take proceedings.

ANTI-DISCRIMINATION NSW

Under section 91 of the Anti-Discrimination Act 1977 (NSW), a complainantmay require the President to refer the complaint to the AdministrativeDecisions Tribunal where the President has given a notification. ThePresident may give a notification if the President is satisfied that the complaintis frivolous, vexatious, misconceived or lacking in substance, or that for anyother reason the complaint should not be entertained (section 90(1)).

ANTI-DISCRIMINATION QLD

If the Commissioner believes a complaint under the Anti-Discrimination Act1991 (Qld) cannot be resolved by conciliation, the complainant may requirethe Commissioner to refer the complaint to the tribunal under section 164A or166.

ANTI-DISCRIMINATION TAS

Under section 65 of the Anti-Discrimination Act 1998 (Tas), a complainantmay have a rejected complaint reviewed by the tribunal. The Commissionermay reject a complaint for example if in the opinion of the Commissioner, it istrivial, vexatious, misconceived or lacking in substance (section 64(1)(a) orthe subject matter of the complaint has already been adequately dealt with bythe Commissioner, a State authority or a Commonwealth statutory authority(section 64(1)(f)).

Appendix 13

Demographic information aboutcomplainants

As noted in the issues paper the Office had not previously collecteddemographic information about complainants. To assist the Office identifywhich sections of the community were making privacy complaints to theOffice, it undertook a three month complainant demographic survey inDecember 2004, January 2005 and February 2005.

The Office wrote to all complainants who submitted a complaint during thistime (not just complaints relating to the NPPs) and asked that they completethe survey and return it in a reply paid envelope. Complainants were advisedthat completing the survey was voluntary and that if they did not complete thesurvey it would not affect the way in which the Office dealt with theircomplaint. Complainants were also advised that the survey was anonymousand that the information collected was de-identified.

The Office sent the survey to approximately 250 individuals and received only36 surveys in reply. This number of responses is too small to rely on as anaccurate representation of total complainants. However, the Office was ableto extract information from its complaint management software that suggests,at least in respect of gender, the survey results may be representational.

The results of the survey are described below. However the Office stressesthat it is not known if the results accurately reflect its client group. The Officehas decided to continue with the complainant demographic survey and it hasbecome part of the standard complaint acknowledgement process.

Complainant Demographic Results

67% of complainants were male and 33% were female.

More complainants were between the ages of 40-49.

AGE OF COMPLAINANTS

0-18 – 0%

19-29 – 11%

30-39 – 19%

40-49 – 33%

50-59 – 14%

60-69 – 20%

70-79 – 0%

80-89 – 3%

90 or older – 0%

None of the complainants were Aboriginal or Torres Strait Islanders.

The majority of complainants (68%) were born in Australia and 20% wereborn in the UK. Other countries of birth stated by respondents were Canada,Fiji, Singapore and Sri Lanka.

Nearly all complainants (92%) listed English as the main language spoken intheir home. Other respondents listed English and at least one other languagespoken in their home and a few surveys noted another language as the mainlanguage in their home.

More complainants (71%) live in a capital city than anywhere else or a majorregional centre (17%).

The level of education completed by complainants was varied. Over half ofthe complainants had completed a Diploma/Advanced Diploma, Bachelordegree or Post-graduate degree.

Respondents listed the income category $0 - $25 000 more often than othercategories. However, 65% of respondents earned over $25 000 with 15%earning over $75 000.

The majority of complainants (83%) do have access to the internet.

Complainants found out about the Office through many different avenuesincluding lawyers, community organisations, government agencies, friends orfamily and the Internet or a website.

Appendix 14

Complainant and respondent satisfactionsurvey

Background and methodology

The survey was conducted in February and March 2005. The purpose of thesurvey was to gauge the opinion of complainants and respondents withrespect to the Office’s complaint handling process and to seek suggestionsfrom complainants and respondents about any possible improvements to thecomplaint handling service. The complainants and respondents interviewedwere involved in the Office’s complaint handling process but were notnecessarily involved in complaints relating to the NPPs.

In all, the Office interviewed 41 organisations and 100 individuals. All thosesurveyed were given a notice in accordance with IPP 2 and NPP 2.

There are a number of concerns about the ability to rely on the representativenature of the completed surveys. This is because the method of selecting thesubjects for the survey relied heavily on the use of the telephone andfavoured those complainants and respondents who were more readilyavailable by phone in the given time period (March 2005).

Out of the 100 matters that were the subject of the interview 68 wereInvestigations under section 40(1), 21 preliminary inquiries under section 42and in 11 cases the Office had declined to investigate the matter undersection 40(1) or (2).

Results

1.Timeliness

58% of complainants thought that the complaints were not handled in atimely manner.

22 % of respondents thought that the complaint was not handled in atimely manner. 63% thought that the handling was timely.

COMPLAINT DEALT WITH IN A TIMELY MANNER

S. Agree – Complainants – 15%, Respondents – 27%

Agree – Complainants – 20%, Respondents – 37%

Unsure – Complainants – 7%, Respondents – 15%

Disagree – Complainants – 23%, Respondents – 19%

S. Disagree – Complainants – 35%, Respondents – 2%

2Impartiality

44% of complainants thought that the staff acted fairly towards the parties

89% of respondents thought that the staff acted fairly towards the parties

3Access to information about the complaint handling process

72% of complainants thought that the explanations given by the officewere clear and 77% understood the forms and correspondence

93% respondents thought that the explanations given by the office wereclear and 93 % understood the forms and correspondence and found themclear.

4How well reasons for the decisions are communicated

63 % of complainants thought that they were given clear reasons for thedecisions.

78% of respondents thought that they were given clear reasons for thedecisions.

GIVEN CLEAR REASONS FOR DECISIONS

S. Agree – Complainants – 13%, Respondents – 32%

Agree – Complainants – 50%, Respondents – 46%

Unsure – Complainants – 7%, Respondents – 13%

Disagree – Complainants – 16%, Respondents – 7%

S. Disagree – Complainants – 14%, Respondents – 2%

5Method of communication

It appears that both complainants (44%) and respondents (66%) prefer hardcopy correspondence.

6Level of satisfaction

Service

There were mixed messages about the overall level of satisfaction with theservice by the complainants

41% of complainants rated it as poor but

39% as ether good or excellent.

Respondents generally were more satisfied with the service, 56% rating it aseither good or excellent.

The difference in the responses provided by the Complainant and theRespondent and their levels of satisfaction are illustrated by the followingtable:

LEVEL OF SERVICE RECEIVED

Excellent – Complainants – 12%, Respondents – 12%

Very good – Complainants – 14%, Respondents – 44%

Good – Complainants – 13%, Respondents – 17%

Satisfactory – Complainants – 20%, Respondents – 25%

Poor – Complainants – 41%, Respondents – 2%

Outcomes

86 % of respondents and 43 % of complainants were satisfied with theoutcomes of the complaints. 56% of complainants were dissatisfied.

SATISFACTION WITH COMPLAINT

S. Agree – Complainants – 16%, Respondents – 34%

Agree – Complainants – 18%, Respondents – 51%

Unsure – Complainants – 10%, Respondents – 8%

Disagree – Complainants – 14%, Respondents – 5%

S. Disagree – Complainants – 42%, Respondents – 2%

7Other Suggestions

Most of the suggestions focused on the need to “speed up the process” and tomake it more transparent. Some focused on the need to remove theexceptions, particularly small business, and to give the Office more power andresources to investigate the complaints.

A number of the respondents commented favourably on the queue referralsystem and welcomed additional opportunities to resolve the matter directlywith customers.

[3] For example 90, 29, 65, 62, 63, 15, 47, 69 The AMA submission says that a number of patients lodge privacy complaints with the AMA as well as the Office. The AMA suggests that this may be attributed to the Office being unable to respond in a timely or satisfactory manner.

[24] The TIO deals with complaints relating to credit matters in the telecommunications industry, and it may be that some of the 1271 privacy-related complaints it dealt with in 2003-2004 involved credit privacy issues. The Office also deals with complaints relating to the credit reporting provisions of the Privacy Act under Part IIIA, however the number of these complaints are not reflected in the figures in the text.

[25] For example, over half of the NPP complaints received against telecommunications sector organisations concerned use and disclosure issues under NPP 2, compared to approximately one third of all NPP complaints.

[26] A similar graph showing all NPP complaints received by issue type is included in the Compliance section of this report. It should be noted that complaints may be recorded under more than one issue type, and so the total number of complaints by issue type may exceed the total number of complaints.

[27] As with the previous graph, complaints may be recorded under more than one issue type.

[29] It was felt that there was very little difference between the NPPs and the CPI Code and that, essentially, the requirements in the CPI Code mirror those in the NPPs. If the CPI Code was not de-registered, the telecommunications sector would have been subject to two essentially identical privacy regimes under the NPPs and the CPI Code, enforceable by the Privacy Commissioner and the Australian Communications Authority respectively.

[32] Who’s got your number? Regulating the use of telecommunications customer information.Discussion paper issued by the Australian Communications Authority, 18 March 2004.Available at http://internet.aca.gov.au/acainterwr/telcomm/industry_standards/customer_info_disc_paper.pdf.

[33] 2004 Research into Community attitudes towards Privacy in Australia (released 26/10/04); 2001 Research into Community, Business and Government attitudes towards Privacy in Australia (released 31/7/01)

[34]For example Public Interest Determination 9 and 9A, Temporary Public Interest Determination 2005-1 and Determination 2005-1A available at http://www.privacy.gov.au/act/publicinterest/index.html

[77] Of the 330 NPP complaints against health care providers received by the Office between 21 December 2001 and 31 January 2005, 163 concerned a refusal of access to health records and 19 concerned excessive or inappropriate charges for access (182 in total).

[88] The Victorian Health Privacy Principles are available at http://www.health.vic.gov.au/hsc/hppextract.pdf

[89] In contrast, Part IIIA of the Privacy Act which deals with credit reporting includes offences for contravention of a number of provisions, for example section 18K that sets out limits on disclosure of personal information by [private sector] credit reporting agencies.

[90]The Injunction power may be used by the Office or others. To the Office’s knowledge it hasonly been used once. See Seven Network (Operations) Limited v Media Entertainmentand Arts Alliance [2004] FCA 637 (21 May 2004).

[92]Section 52 of the Privacy Act deals with the Commissioner’s powers to make determinations.

[93] An organisation must comply with a determination. If it does not comply the individual or the Privacy Commissioner or a code adjudicator as appropriate may seek to have the determination enforced through the Federal Court or Federal Magistrates Court; the Courts will hear the matter de novo.

[94] Section 43(2) of the Privacy Act provides that ‘An investigation under this Division shall be conducted in private but otherwise in such manner as the Commissioner thinks fit’.

[118] Note that section 40(1A) of the Privacy Act says that the Commissioner must not investigate a complaint if the complainant did not complain to the respondent before complaining to the Commissioner. However the Commissioner may decide to investigate the complaint if he or she considers that it was not appropriate for the complainant to complain to the respondent.

[119] One submission made this comment in the context of credit reporting for example, where complainants are required to write to Baycorp Advantage in the first instance to obtain a copy of their credit information file and then write to the credit provider about the inaccuracy. While the credit reporting provisions are not under review, this issue is relevant to the NPPs where the credit information relates to commercial credit which is not regulated under the credit reporting provisions.

[138] Examples include: a credit provider’s mass removal of all payment defaults from a consumer credit reporting agency; significant system changes to information handling systems by a information technology company; and systemic information collection practices by a member of the finance industry.

[148] The Commissioner’s annual reports, available from the website at http://www.privacy.gov.au/publications/index.html, include these and other statistics about complaints and enquiries. Section 4.3.1 of the Commissioner’s annual report 2000-2001 notes that 35% of these calls were outside the Act’s jurisdiction.

[163] The Privacy Advisory Committee is established by section 82 of the Privacy Act. It consists of the Commissioner and up to six other members. Its functions are to advise the Commissioner; to recommend materials for inclusion in guidelines; and, subject to the Commissioner’s direction, to engage in and promote community education and community consultation.

[171] Commercial Television Code of Practice; Commercial Radio Codes of Practice; Subscription Television Broadcasting Codes of Practice; Community Broadcasting Codes of Practice; ABC Code of Practice (which applies to Television and Radio); SBS Codes of Practice

[180] The NHMRC also develops guidelines, similar to the section 95A guidelines, for research involving personal information held by the Australian Government Agencies under section 95 of the Privacy Act, which the Privacy Commissioner approves.

[184] It cites Research Report 5: What will be necessary to manage privacy, AC Neilson Consult, DoHA, 2003 p 16; Consumer Attitudes Towards Consent, Electronic Health Records and the Use of Health Data for Research Purposes, TQA Market Research Report, October 2004, DoHA.

[190]LyndalTrevena, Les Irwig, Alexandra Barratt, ‘The Impact of Privacy Legislation on the Number and Characteristics of People who are Recruited for Research: a randomised control trial’; in press.

[191] It cites Research Report 5: What will be necessary to manage privacy, AC Neilson Consult, DoHA, 2003 p 16; Consumer Attitudes Towards Consent, Electronic Health Records and the Use of Health Data for Research Purposes, TQA Market Research report. October 2004, DHA.

[192] Each Australian state and territory has its own protective guardianship and administration legislation with tribunals and agencies having the necessary powers to achieve the legislation’s goals. Representatives from each jurisdiction comprise the Australian Guardianship and Administration Committee (AGAC). Its aim is to develop and promote interjurisdictional linkages. More information about AGAC and the guardianship and administration regimes of each jurisdiction is available at http://www.ijcga.gov.au/ .

[196] The United States Drivers Privacy Protection Act 1994; Europa Justice and Home Affairs Charter of Fundamental Rights; Human and Constitutional Rights South Africa; International Covenant on Civil and Political Rights; European Convention on Human Rights

[197] Reference is made to the decision in Leeth v The Commonwealth of Australia [1992] HCA 29

[198]Discussion paper no 8 Law Enforcement Information and Other Related Issues. http://www.privacy.org.nz.html

[210] Radio Frequency Identification or Radio Frequency Identification tag(s) uses wireless technology to transmit product serial numbers from tags to a scanner, without human intervention. It is regarded as a likely successor to barcode inventory tracking systems.

[211] ENUM is a communications protocol that links the public switched telephone network (PSTN) with the Internet by translating telephone numbers into a format that can be used by the Internet.

[212] Voice over Internet Protocol, is another way of saying IP Telephony. It involves the transmission of telephone calls over a data network like the Internet. In other words, VoIP can send voice, fax and other information over the Internet, rather than through the PSTN or regular telephone network.

[213] Report on the Application of Data Protection Principles to the worldwide telecommunications networks: Information self-determination in the internet era; thoughts on Convention No. 108 for the purposes of the future work of the Consultative Committee (T-PD), Council of Europe Strasburg, 13/12/2004 p 19.

[214] See for example, article in Time Australia, 7 March 2005 ‘Are your secrets safe?’ Also, "Not the first time for ChoicePoint", MSNBC, 27 Feb 2005.

[232] Report on the Application of Data Protection Principles to the worldwide telecommunication networks: Information self-determination in the internet era; thoughts on Convention No. 108 for the purposes of the future work of the Consultative Committee (TPD), Council of Europe Strasburg, 13/12/2004 p 57.

[233] Report on the Application of Data Protection Principles to the worldwide telecommunication networks: Information self-determination in the internet era; thoughts on Convention No. 108 for the purposes of the future work of the Consultative Committee (TPD), Council of Europe Strasburg, 13/12/2004, p 58.

[234] Report on the Application of Data Protection Principles to the worldwide telecommunication networks: Information self-determination in the internet era; thoughts on Convention No. 108 for the purposes of the future work of the Consultative Committee (TPD), Council of Europe Strasburg, 13/12/2004 p 33.

[236] Submission on the HealthConnectBusiness Architecture Version 1.9, Office of the Privacy Commissioner, February 2005, para 102; Submission on the HealthConnectInterim Research Report and draft Systems Architecture, Office of the Privacy Commissioner, January 2004, para 49-60; and Submission to the HealthConnectdraft Business Architecture, Office of the Privacy Commissioner, July 2002.

[237] A Privacy Impact Assessment (PIA) is an assessment tool that describes, in detail, the personal information flows in a project, and assesses the privacy risks a project may pose. The purpose of a PIA is to gain an understanding of, and to minimise, any adverse impacts a project may have on the privacy of individuals. A PIA may do this for example, by helping to identify when collection of particular information is unnecessary to a project, or where accountability or oversight processes may reduce privacy risks. It enables and organisation to:

• describe fully and systematically, the way personal information ‘flows’ in the project

• analyse how these information flows will impact on privacy

• consider alternative, less privacy-intrusive practices

• assess and manage privacy risks during project development rather than retrospectively

• identify early, a project’s potential for further privacy erosion, for example, through ‘function creep’ (additional uses of a system, and/or the personal information it involves, beyond the original plans or expectations) and

• make informed choices and recommendations about how the project will proceed.

[243] An Australian Government identifier is a unique combination of letters and numbers, such as a Medicare number, which Australian Government agencies or their contracted service providers allot to an individual.

[245] The Privacy Commissioner made earlier temporary public interest determinations in similar terms in December 2001 for the commencement of the private sector privacy provisions.

[246] Section 6 of the Privacy Act defines 'health service' as an activity performed in relation to an individual:

• to assess, record, maintain or improve the individual's health; or

• to diagnose the individual's illness or disability; or

• to treat the individual's illness or disability or suspected illness or disability; or

• the dispensing of a prescription drug or medicinal preparation by a pharmacist.

The Privacy Act applies to all private sector organisations that deliver these types of services including: traditional health service providers such as private hospitals and day surgeries, medical practitioners, pharmacists, and allied health professionals such as counsellors, as well as complementary therapists, gyms, weight loss clinics and many others.

[247]See Australian Government Department of Health and Ageing 99, Australian Medical Association 29 and Mental Health Privacy Coalition 58.

[250] See Pharmaceutical Society v London and Provincial Supply Association (1879-80) 5 App Cas 857 (‘Pharmaceutical Society’) per Lord Blackburn at 869; see also the definition of ‘individual’ contained in subsection 22(1)(aa) of the Acts Interpretation Act 1901, the object of which is to distinguish between ‘a natural person as opposed to a body corporate or body politic’ (clause 127 of the Explanatory Memorandum to the Law and Justice Legislation Amendment Bill 1990); and also Osborn’s Concise Law Dictionary (7thed) at 228).

[251] Unless, perhaps the decease person’s information falls part of a representative complaint, see sections 36(2) and 38(3).

[252] A document is an exempt document if its disclosure under this Act would involve the unreasonable disclosure of personal information about any person (including a deceased person).

[253]Australian Law Reform Commission 33, National Health and Medical Research Council 32, Australian Privacy Foundation 90, Australian Government Department Health and Ageing 99.